b'      Department of Homeland Security\n\n\n\n\n\n                        Evaluation of\n            DHS\xe2\x80\x99 Information Security Program for\n                       Fiscal Year 2012\n\n\n\n\nOIG-13-04                                      October 2012\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n                                Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n                                      October 24, 2012\n\nMEMORANDUM FOR:              Emery Csulak\n                             Acting Chief Information Security Officer\n\nFROM:                        Frank W. Deffer\n                             Assistant Inspector General\n                             Information Technology Audits\n\nSUBJECT:                     EvaluationfoffDHS\xe2\x80\x99fInformationfSecurityfProgramfforfFiscalf\n                             Yearf2012f\n\nAttached for your action is our final report, EvaluationfoffDHS\xe2\x80\x99fInformationfSecurityfProgramf\nforfFiscalfYearf2012.ffWe incorporated the formal comments from the Director, Departmental\nGAO-OIG Liaison Office, in the final report.\n\nThe report contains six recommendations aimed at improving the Department\xe2\x80\x99s\ninformation security program. The Department concurred with all recommendations. As\nprescribed by the Department of Homeland Security Directive 077-1, Follow-Up and\nResolutions for the Office of Inspector General Report Recommendations, within 90 days of\nthe date of this memorandum, please provide our office with a written response that\nincludes your (1) agreement or disagreement, (2) corrective action plan, and (3) target\ncompletion date for each recommendation. Also, please include responsible parties and\nany other supporting documentation necessary to inform us about the current status of the\nrecommendation. Until your response is received and evaluated, the recommendations will\nbe considered open and unresolved.\n\nConsistent with our responsibility under the InspectorfGeneralfAct, we are providing copies\nof our report to appropriate congressional committees with oversight and appropriation\nresponsibility over the Department of Homeland Security. We will post the report on our\nwebsite for public dissemination.\n\nPlease call me with any questions, or your staff may contact Chiu-Tong Tsang, Director,\nInformation Security Audit Division, at (202) 254-5472.\n\nAttachment\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\nTable of Contents\n\nExecutive Summary............................................................................................................. 1\n\n\nBackground ......................................................................................................................... 2\n\n\nResults of Evaluation ........................................................................................................... 4\n\n\nRecommendations ........................................................................................................... 21\n\n\nManagement Comments and OIG Analysis ..................................................................... 22 \n\n\nAppendixes\n           Appendix A:          Objectives, Scope, and Methodology............................................ 25 \n\n           Appendix B:         Management Comments to the Draft Report ............................... 27 \n\n           Appendix C:         System Inventory ........................................................................... 30 \n\n           Appendix D:          Status of Risk Management Program ............................................ 34 \n\n           Appendix E:         Status of Configuration Management Program ............................ 36 \n\n           Appendix F:         Status of Incident Response and Reporting Program .................... 38 \n\n           Appendix G:          Status of Security Training Program .............................................. 40 \n\n           Appendix H:          Status of Plans of Actions and Milestones Program ..................... 42 \n\n           Appendix I:         Status of Remote Access Program ................................................. 44 \n\n           Appendix J:         Status of Account and Identity Management Program.................. 46 \n\n           Appendix K:         Status of Continuous Monitoring Program.................................... 48 \n\n           Appendix L:         Status of Contingency Planning Program....................................... 50 \n\n           Appendix M:          Status of Agency Program to Oversee Contractor Systems .......... 52 \n\n           Appendix N:          Status of Security Capital Planning Program ................................. 53 \n\n           Appendix O:          Major Contributors to This Report................................................ 55 \n\n           Appendix P:         Report Distribution ........................................................................ 56 \n\n\nAbbreviations\n           ATO                   Authority to Operate \n\n           CBP                   Customs and Border Protection \n\n           CISO                  Chief Information Security Officer \n\n           CPIC                  Capital Planning and Investment Control \n\n           DHS                   Department of Homeland Security \n\n           FEMA                  Federal Emergency Management Agency\n\n           FIPS                  Federal Information Processing Standards \n\n\n\nwww.oig.dhs.gov                                                                                                         OIG-13-04\n\x0c                       OFFICE OF INSPECTOR GENERAL\n                          Department of Homeland Security\n\n\n       FISMA \t      FederalfInformationfSecurityfManagementfAct\n       FY \t         fiscal year\n       HQ \t         Headquarters\n       HSPD-12 \t    Homeland Security Presidential Directorate 12\n       ICAM PMO \t   Identity, Credential, and Access Management Program\n                    Management Office\n       ICE \t        Immigration and Customs Enforcement\n       ISO \t        Information Security Office\n       ISSO \t       Information System Security Officer\n       IT \t         information technology\n       MGMT \t       Management Directorate\n       NIST \t       National Institute of Standards and Technology\n       NPPD \t       National Protection and Programs Directorate\n       OIG \t        Office of Inspector General\n       OMB \t        Office of Management and Budget\n       PIV \t        Personal Identity Verification\n       POA&M \t      Plan of Action and Milestones\n       RMS \t        Risk Management System\n       S&T \t        Science and Technology Directorate\n       SA \t         System Administrator\n       SOC \t        Security Operations Center\n       SP \t         Special Publication\n       TIC \t        Trusted Internet Connections\n       TSA \t        Transportation Security Administration\n       USCG \t       United States Coast Guard\n       USCIS \t      United States Citizenship and Immigration Services\n       USGCB \t      United States Government Configuration Baseline\n       USSS \t       United States Secret Service\n\n\n\n\nwww.oig.dhs.gov\t                                                          OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nExecutive Summary\nWe conducted an independent evaluation of the Department of Homeland Security\n(DHS) information security program and practices to comply with the requirements of\nthe FederalfInformationfSecurityfManagementfAct. In evaluating DHS\xe2\x80\x99 progress in\nimplementing its agency-wide information security program, we specifically assessed\nthe Department\xe2\x80\x99s plans of action and milestones, security authorization processes, and\ncontinuous monitoring programs. We performed fieldwork at both the program and\ncomponent levels.\n\nDHS continues to improve and strengthen its security program. During the past year,\nDHS developed and implemented the FiscalfYearf2012fInformationfSecurityfPerformancef\nPlan to focus on areas that the Department would like to improve upon throughout the\nyear. Specifically, DHS identified in the performance plan several key elements that are\nindicative of a strong security program, such as plans of action and milestones weakness\nremediation. In addition, DHS has taken actions to address the Administration\xe2\x80\x99s\ncybersecurity priorities, which include implementing trusted Internet connections,\ncontinuously monitoring DHS information systems, and employing personal identity\nverification compliant credentials to improve logical access for its systems.\n\nWhile these efforts have resulted in some improvements, components still are not\nexecuting all of the Department\xe2\x80\x99s policies, procedures, and practices. In addition, our\nreview identified the following more significant exceptions to a strong and effective\ninformation security program: (1) systems are being authorized though key information\nis missing or outdated; (2) plans of action and milestones are not being created for all\nknown information security weaknesses or mitigated in a timely manner; and (3)\nbaseline security configurations are not being implemented for all systems. Additional\ninformation security program areas that need improvement include incident detection\nand analysis, specialized training, account and identity management, and contingency\nplanning. Finally, the Department still needs to (1) consolidate all of its external\nconnections, (2) implement a near-real-time monitoring capability, and (3) employ\npersonal identity verification compliant cards for logical access on its information\nsystems.\n\nWe are making six recommendations to the Chief Information Security Officer. The\nDepartment concurred with all recommendations and has begun to take actions to\nimplement them. The Department\xe2\x80\x99s responses are summarized and evaluated in the\nbody of this report and included, in their entirety, as appendix B.\n\n\n\n\n                                           1\n\nwww.oig.dhs.gov                                                                OIG-13-04\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\nBackground\nDue to the increasing threat to information systems and the highly networked nature of\nthe Federal computing environment, Congress, in conjunction with the Office of\nManagement and Budget (OMB), requires an annual review and reporting of agencies\xe2\x80\x99\ncompliance with FederalfInformationfSecurityfManagementfActf(FISMA) requirements.\nFISMA focuses on the program management, implementation, and evaluation of the\nsecurity of unclassified and national security systems.\n\nRecognizing the importance of information security to the economic and national\nsecurity interests of the United States, Congress enacted Title III of the E-Governmentf\nActfoff2002 (Public Law 107-347, Sections 301-305) to improve security within the\nFederal Government. Information security means protecting information and\ninformation systems from unauthorized access, use, disclosure, disruption, modification,\nor destruction. Title III of the E-GovernmentfAct, entitled FISMA, provides a\ncomprehensive framework to ensure the effectiveness of security controls over\ninformation resources that support Federal operations and assets.\n\nFISMA requires each Federal agency to develop, document, and implement an\nagency-wide security program. The security program should protect the information\nand the information systems that support the operations and assets of the agency,\nincluding those provided or managed by another agency, contractor, or other source.\nAs specified in FISMA, agency heads are charged with conducting an annual evaluation\nof information programs and systems under their purview, as well as an assessment of\nrelated security policies and procedures. Offices of Inspector Generals (OIG) must\nindependently evaluate the effectiveness of an agency\xe2\x80\x99s information security program\nand practices on an annual basis.\n\nOMB issues updated instructions annually for agency and OIG reporting under FISMA.\nOur annual FISMA evaluation summarizes the results of our review of DHS\xe2\x80\x99 information\nsecurity program and practices based on the draft reporting guidance dated\nMarch 6, 2012.1\n\nIn March 2012, the Cybersecurity Coordinator and Special Assistant to the President\nidentified three Administration priorities and recommended that Federal agencies focus\n\n\n\n\n1\n  On October 2, 2012, OMB issued Memorandum M-12-20, FYf2012fReportingfInstructionsfforfthefFederalff\nfInformationfSecurityfManagementfActfandfAgencyfPrivacyfManagement.\n\n                                                 2\n\nwww.oig.dhs.gov                                                                           OIG-13-04\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\ntheir resources on the most effective controls to improve cybersecurity and the security\nof Federal information systems:2\n\n\xe2\x80\xa2\t Trusted Internet Connections (TIC) \xe2\x80\x93 consolidate external telecommunication\n   connections and ensure a set of baseline security capabilities for situational\n   awareness and enhanced monitoring.\n\n\xe2\x80\xa2\t Continuous Monitoring of Federal Information Systems \xe2\x80\x93 transforms the otherwise\n   static security control assessment and authorization process into a dynamic risk\n   mitigation program that provides essential, near real-time security status and\n   remediation, increasing visibility into system operations and helping security\n   personnel make risk-management decisions based on increased situational\n   awareness.\n\n\xe2\x80\xa2\t Strong Authentication \xe2\x80\x93 passwords alone provide little security. Federal smartcard\n   credentials, such as Personal Identity Verification (PIV) and common access cards,\n   provide multi-factor authentication and digital signature and encryption capabilities,\n   authorizing users to access Federal information systems with a higher level of\n   assurance.\n\nThe Administration\xe2\x80\x99s goal is that, by the end of 2014, Federal agencies will achieve 95\npercent utilization of critical Administration cybersecurity capabilities on Federal\ninformation systems, including TIC, continuous monitoring, and strong authentication.\nThe Administration\xe2\x80\x99s priorities are integrated with other Federal cybersecurity activities,\nincluding OMB\xe2\x80\x99s fiscal year (FY) 2011 FISMA report and FY 2012 FISMA metrics.\n\nThe Chief Information Security Officer (CISO), who leads the Information Security Office\n(ISO), is responsible for managing DHS\xe2\x80\x99 information security program. To aid in\nmanaging its security program, the CISO developed the FiscalfYearf2012fDHSf\nInformationfSecurityfPerformancefPlan to enhance DHS\xe2\x80\x99 information security program\nand continued to improve existing processes, such as continuous monitoring of its\ninformation systems, system security authorizations, and plan of action and milestones\n(POA&M) remediation. DHS uses enterprise management tools3 to collect and track\ndata related to all unclassified and classified POA&M activities, including weaknesses\nidentified during self-assessments and the security authorization process.4 DHS\xe2\x80\x99\n2\n  FiscalfYearf2011fReportftofCongressfonfthefImplementationfoffThefFederalfInformationfSecurityf\nManagementfActfoff2002, March 7, 2012.\n3\n  DHS enterprise management tools collect and track only Sensitive But Unclassified and Secret POA&M\ndata.\n4\n  According to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 -\nGuidefforfApplyingfthefRiskfManagementfFrameworkftofFederalfInformationfSystemsf\xe2\x80\x93fAfSecurityfLifef\n\n                                                   3\n\nwww.oig.dhs.gov\t                                                                             OIG-13-04\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\nenterprise management tools also collect data on other FISMA metrics, such as the\nnumber of systems that have implemented DHS\xe2\x80\x99 security baseline configurations and\nthe number of employees who have received information technology (IT) security\ntraining.\n\nResults of Evaluation\nBased on the requirements outlined in FISMA and the annual reporting instructions, our\nindependent evaluation focused on 11 key areas of DHS\xe2\x80\x99 information security program.\nSpecifically, we reviewed the Department\xe2\x80\x99s system inventory, risk management,\nconfiguration management, incident response and reporting, security training, POA&M,\nremote access, identity and access management, continuous monitoring, contingency\nplanning, and security capital planning across 10 components and offices.5 We\nseparated the results of our evaluation into these key areas. For each area, we\nidentified the progress that DHS has made since our FY 2011 evaluation and any issues\nthat DHS needs to address to become more successful in the respective information\nsecurity program area.\n\n         Overall Progress\n\n         DHS continued to improve its information security program during FY 2012. For\n         example, the CISO:\n\n         \xe2\x80\xa2\t Developed the FiscalfYearf2012fDHSfInformationfSecurityfPerformancefPlanf\n            to enhance DHS\xe2\x80\x99 information security program and continue to improve\n            existing processes, such as continuous monitoring, POA&M, and security\n            authorization.\n\n         \xe2\x80\xa2\t Updated the Department\xe2\x80\x99s baseline IT security policies and procedures in\n            DHS Sensitive Systems Policy Directive 4300A and its companion, DHS 4300A\n            Sensitive Systems Handbook, to reflect the changes made in DHS security\n            policies and various NIST guidance.\n\nCyclefApproach,fRevision 1, security authorizationfis the official management decision given by a senior\norganizational official to authorize operation of an information system and to explicitly accept the risk to\norganizational operations and assets, individuals, other organizations, and the Nation based on the\nimplementation of an agreed-upon set of security controls.\n5\n  Customs and Border Protection (CBP), Federal Emergency Management Agency (FEMA), Immigration\nand Customs Enforcement (ICE), Management Directorate (MGMT), National Protection and Programs\nDirectorate (NPPD), Science and Technology Directorate (S&T), Transportation Security Administration\n(TSA), United States Citizenship and Immigration Services (USCIS), United States Coast Guard (USCG), and\nUnited States Secret Service (USSS).\n\n                                                     4\n\nwww.oig.dhs.gov\t                                                                                  OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n\n       \xe2\x80\xa2\t In April 2012, the DHS CISO issued its second StatefoffCybersecurityfatfThef\n          DepartmentfoffHomelandfSecurity report. The report outlines how DHS\n          anticipates and addresses emerging security risks from new technology\n          products and advanced threat actor techniques, including its new initiatives\n          and programs that ensure a secure computing environment within the\n          Department. The report presents relevant information to employees for\n          protecting their information and increasing the Department\xe2\x80\x99s cybersecurity\n          awareness.\n\n       \xe2\x80\xa2\t The overall quality of security authorization documentation continues to\n          improve in FY 2012. Compared with FY 2011, we identified fewer deficiencies\n          in the security authorization documentation for the systems that were\n          selected for review.\n\n       Overall Issues To Be Addressed\n\n       Despite the actions taken by the CISO to improve the Department\xe2\x80\x99s overall\n       information security program, we identified several issues that should be\n       addressed to strengthen DHS\xe2\x80\x99 security posture. For example, we determined\n       that components are not satisfying all of the Department\xe2\x80\x99s information security\n       policies, procedures, and practices. Specifically, we identified deficiencies with\n       component POA&M management, system security authorization, and\n       continuous monitoring. In addition, components have not implemented all of\n       the information system baseline configurations in accordance with DHS policies\n       and procedures. For example, we identified the following deficiencies:\n\n       \xe2\x80\xa2\t Components have not implemented all required United States Government\n          Configuration Baseline (USGCB) settings on the information systems selected\n          for review.\n\n       \xe2\x80\xa2\t Components have not incorporated all known information security\n          weaknesses into POA&Ms for the Department\xe2\x80\x99s unclassified systems.\n\n       \xe2\x80\xa2\t Artifacts supporting the authorization of selected systems were either\n          missing key information or outdated, which restricts the ability of authorizing\n          officials to make credible risk-based decisions.\n\n       \xe2\x80\xa2\t DHS has not established a formal process to track its external information\n          systems and cloud-based systems inventory. Currently, external information\n\n\n                                            5\n\nwww.oig.dhs.gov\t                                                                 OIG-13-04\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n            systems and cloud-based systems are maintained manually, outside of the\n            DHS systems\xe2\x80\x99 enterprise management inventory tools.\n\n        \xe2\x80\xa2\t As part of DHS\xe2\x80\x99 Cybersecurity Capability Validation assessment conducted in\n           April 2012, the National Cyber Security Division\xe2\x80\x99s6 Federal Network Security\n           branch reported that nine external connections are not consolidated through\n           an approved TIC access point.7 As required under OMB\xe2\x80\x99s Implementationfoff\n           TrustedfInternetfConnectionsf(TIC) memorandum, the Federal Government\n           shall reduce the number of external connections, including Internet points of\n           presence.8\n\n        \xe2\x80\xa2\t DHS has not provided adequate oversight on its contractor-hosted websites\n           to ensure that these external information systems are tested annually and\n           that effective security controls have been implemented.\n\n        System Inventory\n\n        DHS continues to maintain and update its FISMA systems inventory, including\n        agency and contractor systems, on an annual basis. In addition, DHS conducts\n        site visits as part of its annual inventory update process.\n\n        Progress\n\n        \xe2\x80\xa2\t As of June 2012, DHS has a total of 675 systems, which include a mix of major\n           applications and general support systems that are categorized as Sensitive\n           But Unclassified, Secret, or Top Secret.\n\n        \xe2\x80\xa2\t As of June 2012, DHS has conducted 71 component site visits as part of its\n           annual refresh process, which includes providing components with additional\n           guidance in the discovery of new systems, identification of system\n           boundaries, and the resolution of any other inventory issues.\n\n        Issues To Be Addressed\n\n\n\n6\n  The National Cyber Security Division, which is a division under the Office of Cybersecurity and\nCommunications within NPPD, is responsible for implementing OMB\xe2\x80\x99s TIC initiative for the Federal\nGovernment.\n7\n  TrustedfInternetfConnectionfInitiativefDepartmentfoffHomelandfSecurityfCybersecurityfCapability\n\nValidationfReport, April 2012.\n\n8\n  OMB Memorandum M-08-05,fImplementationfoffTrustedfInternetfConnectionsf(TIC),fNovember 20, 2007. \n\n\n                                                 6\n\nwww.oig.dhs.gov\t                                                                          OIG-13-04\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n        \xe2\x80\xa2\t As of July 2012, DHS has not established an automated capability to track the\n           hardware devices and software deployed at all component sites.\n\n        See appendix C for information on DHS\xe2\x80\x99 system inventory and appendix M for\n        the status of DHS\xe2\x80\x99 Agency Program to Oversee Contractor Systems.\n\n        Risk Management Program\n\n        DHS requires components to use enterprise-wide tools that incorporate NIST\n        security controls to perform their security authorizations. DHS uses the risk\n        management system (RMS) automated tool to provide the basis for the controls\n        to be identified in the various security authorization documents as well as\n        templates for the security authorization documents, and its enterprise\n        management tools to centralize the documents supporting the security\n        authorization process and authority to operate (ATO) for each system.\n\n        Components are required to use RMS to apply NIST SP 800-53 security controls\n        for all system self-assessments. DHS uses security authorization artifacts created\n        from RMS and uploaded into its enterprise management tools by the\n        components to monitor their progress in authorizing systems, including the\n        following:\n\n        \xef\xbf\xbd Federal Information Processing Standards (FIPS) 199 Categorization\n        \xef\xbf\xbd Privacy Threshold Analysis and, if required, Privacy Impact Assessment\n        \xef\xbf\xbd e-Authentication\n        \xef\xbf\xbd Security Plan\n        \xef\xbf\xbd Contingency Plan\n        \xef\xbf\xbd Security Assessment Plan\n        \xef\xbf\xbd Contingency Plan Test Results\n        \xef\xbf\xbd Security Assessment Report\n        \xef\xbf\xbd Authorization Decision Letter which includes an updated Security Plan,\n          POA&M, and Security Assessment Report\n        \xef\xbf\xbd Annual Self-Assessments\n\n        For some of the systems that were granted ATO, the artifacts that are required\n        to support the authorization were missing, incomplete, or outdated. We\n        identified a similar issue in our FY 2010 and FY 2011 FISMA reports.9\n\n\n9\n EvaluationfoffDHS\xe2\x80\x99fInformationfSecurityfProgramfforfFiscalfYearf2010f(OIG-11-01, October 2010),\nEvaluationfoffDHS\xe2\x80\x99fInformationfSecurityfProgramfforfFiscal Yearf2011 (OIG-11-113, September 2011).\n\n                                                   7\n\nwww.oig.dhs.gov\t                                                                            OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\n       Progress\n\n       \xe2\x80\xa2\t The overall quality of security authorization documentation has continued to\n          improve in FY 2012. For example, compared with FY 2011, we identified\n          fewer deficiencies within the security authorization documentation for the\n          systems that were selected for review.\n\n       Issues To Be Addressed\n\n       \xe2\x80\xa2\t We selected 25 systems (20 Sensitive But Unclassified, 5 Secret) from 10\n          components and offices to evaluate the quality of documents that support\n          DHS\xe2\x80\x99 security authorization process. For some of the systems that were\n          granted ATO, the artifacts that are required to support the authorization\n          were missing, incomplete, or outdated. Without this information, agency\n          officials cannot make credible, risk-based decisions on whether to authorize\n          the system to operate. Specifically, we determined that:\n\n           \xef\xbf\xbd For 17 security plans, certain elements within the plans are missing,\n             including sections that describe operational and configuration security\n             controls.\n\n           \xef\xbf\xbd Two systems did not have completed or updated FIPS-199 categorization\n             worksheets. The FIPS-199 determination, when applied properly during\n             the risk assessment process, helps agency officials to select applicable\n             controls for the information systems.\n\n           \xef\xbf\xbd Six classified systems are operating with an expired ATO. Some of these\n             systems have been operating without an ATO since 2007.\n\n           \xef\xbf\xbd Two systems did not have the outstanding risks and/or acceptance of\n             those risks documented in the authorization decision letter and/or\n             POA&M.\n\n           \xef\xbf\xbd Two systems had outdated or nonexistent memorandums of\n             understanding with organizations (external to the component) with\n             which they are sharing data.\n\n           \xef\xbf\xbd One system did not have a completed and approved privacy impact\n             assessment.\n\n       See appendix D for status on DHS\xe2\x80\x99 Risk Management Program.\n\n                                           8\n\nwww.oig.dhs.gov\t                                                              OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\n\n       Plans of Action and Milestones Program\n\n\n       DHS requires components to create and maintain POA&Ms for all known IT\n       security weaknesses. In addition, DHS performs automated reviews on its\n       unclassified and classified POA&Ms for accuracy and completeness and provides\n       the results to components daily. Despite these efforts, components are not\n       entering and tracking all IT security weaknesses in DHS\xe2\x80\x99 unclassified and\n       classified enterprise management tools, or ensuring that all of the data entered\n       are accurate and updated in a timely manner.\n\n       Progress\n\n       \xe2\x80\xa2\t Components have created POA&Ms for all notices of findings and\n          recommendations for the weaknesses identified during our FY 2011 financial\n          statement audit.\n\n       Issues To Be Addressed\n\n       \xe2\x80\xa2\t Components are not correcting all deficiencies identified during DHS\xe2\x80\x99\n          POA&M quality reviews. Our review of DHS\xe2\x80\x99 quality reports identified\n          repeated deficiencies, such as inaccurate milestones, lack of resources to\n          mitigate the weaknesses, and delays in resolving the POA&Ms that are not\n          being corrected by the components. We identified similar problems in our\n          FY 2010 and FY 2011 FISMA reports.\n\n       \xe2\x80\xa2\t DHS did not monitor the adequacy of the POA&Ms for its Top Secret systems.\n          For example, DHS did not perform any reviews or oversight functions on Top\n          Secret POA&Ms that are manually tracked outside of the Department\xe2\x80\x99s\n          enterprise management tools. As a result, DHS cannot ensure that POA&Ms\n          have been created to mitigate the security vulnerabilities identified on its\n          Top Secret systems and that they are managed in accordance with the\n          Department\xe2\x80\x99s policies and procedures. We identified this issue in our\n          FY 2011 report.\n\n       \xe2\x80\xa2\t Based on our analysis of data from DHS\xe2\x80\x99 enterprise management tools,\n          component CISOs and information system security officers are not\n          maintaining current information on the progress of security weakness\n          remediation, and not all POA&Ms are being resolved in a timely manner. As\n          of June 30, 2012, we identified the following deficiencies for POA&Ms that\n          are classified as Sensitive But Unclassified and Secret.\n\n                                           9\n\nwww.oig.dhs.gov\t                                                              OIG-13-04\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n         Sensitive But Unclassified POA&Ms\n\n             \xef\xbf\xbd Components are not monitoring the status of their high-priority POA&Ms\n               or reviewing them for consistency and completeness. DHS requires\n               component CISOs to monitor the progress of the POA&M implementation\n               and remediation efforts. Specifically, component CISOs are required to\n               review and approve all priority 4 and priority 5 POA&Ms to ensure that\n               the weaknesses are properly prioritized, and that appropriate resources\n               are identified for remediation.10 As of June 30, 2012, only 132\n               (55 percent) of 241 priority 4 and 5 POA&Ms have been reviewed and\n               approved by a component CISO.\n\n             \xef\xbf\xbd Component CISOs are not updating information concerning all\n               weaknesses. Of the 4,377 open POA&Ms with estimated completion\n               dates, 348 (8 percent) were delayed by at least 3 months (prior to April 1,\n               2012). Further, 127 POA&Ms had an estimated completion date more\n               than 1 year old, dating as far back as March 2008. In addition, while 36\n               POA&Ms have been designated as significant deficiencies, they have not\n               been identified as material weaknesses as required by DHS POA&M\n               guidance.\n\n             \xef\xbf\xbd DHS requires that a reasonable resources estimate of at least $50 be\n               provided to mitigate the weakness identified. Resources required for the\n               remediation of 81 (2 percent) of 4,377 open POA&Ms either were not\n               identified or did not meet the $50 requirement. Further, 307 (7 percent)\n               of open POA&Ms are scheduled to take more than 2 years to mitigate the\n               weaknesses. DHS and OMB require POA&Ms to be completed timely.\n\n             \xef\xbf\xbd DHS requires that POA&M data be monitored and updated on a\n               continuous basis, as events occur. In addition, all information in the\n               POA&M must be updated at least monthly and be accurate on the first\n               day of each month for Department tracking and reporting purposes. We\n               determined that 1,245 POA&Ms, or 28 percent of open POA&Ms, have\n               not been updated for 90 days as of June 30, 2012. Further, 157 POA&Ms\n               have not been updated for a year (i.e., since June 30, 2011).\n\n\n\n\n10\n   Priority 4 weaknesses can be assigned to initial audit findings and priority 5 weaknesses to repeat audit\nfindings.\n\n                                                     10\n\nwww.oig.dhs.gov\t                                                                                 OIG-13-04\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n           \xef\xbf\xbd DHS requires components to develop a POA&M for its operational\n             systems that have not received an ATO. We identified five instances\n             where POA&Ms have not been created for operational systems that have\n             not received an ATO.\n\n       Secret POA&Ms\n\n           \xef\xbf\xbd DHS and OMB require POA&Ms to be completed timely. However, we\n             identified 40 (98 percent) of 41 open POA&Ms that are currently delayed.\n             Further, 35 (88 percent) of the 40 POA&Ms have been delayed by at least\n             3 months (prior to April 1, 2012), including 12 (30 percent) POA&Ms that\n             have been delayed by more than 1 year (prior to June 30, 2011).\n\n           \xef\xbf\xbd Thirty-seven (90 percent) of 41 open POA&Ms have not been updated\n             within the past 90 days. Twelve of the 37 POA&Ms have not been\n             updated in more than 1 year. DHS requires POA&Ms to be updated at\n             least monthly.\n\n       See appendix H for status on DHS\xe2\x80\x99 POA&M Program.\n\n       Configuration Management\n\n       We evaluated the compliance with USGCB requirements on Windows\n       workstations at CBP, DHS Headquarters (HQ), FEMA, ICE, NPPD, TSA, USCG,\n       USCIS, and USSS. Results from our testing indicated that components have not\n       implemented all required DHS baseline configuration settings. We reported a\n       similar issue in our FY 2010 and FY 2011 reports.\n\n       Additionally, we reviewed the servers and databases of nine systems that are\n       categorized as high potential impact and contain personal information, as well as\n       seven public-facing component websites, to determine whether DHS has\n       implemented effective controls to secure its databases and websites. We\n       identified vulnerabilities that may weaken the controls implemented to protect\n       the data stored and processed by DHS\xe2\x80\x99 databases and websites.\n\n       Finally, we reviewed 24 different systems for compliance with applicable DHS\n       baseline configuration requirements. Our results indicated that DHS baseline\n       configuration guidelines have not been fully implemented, resulting in\n       deficiencies in the areas of access controls, registry settings, user access, and\n       general security controls.\n\n\n                                            11\n\nwww.oig.dhs.gov\t                                                                  OIG-13-04\n\x0c                        OFFICE OF INSPECTOR GENERAL\n                           Department of Homeland Security\n\n\n       Progress\n\n       \xe2\x80\xa2\t DHS HQ, TSA, USCG, and USCIS have implemented more than 85 percent of\n          USGCB configuration settings on their workstations.\n       \xe2\x80\xa2\t DHS HQ has developed and begun deploying a Windows 7 image that\n          complies with 99.9 percent of USGCB requirements. DHS HQ anticipates that\n          the migration to Windows 7 will be completed by April 2013.\n\n       Issues To Be Addressed\n\n       Components have not fully implemented all USGCB required settings on their\n       workstations. Specifically, we determined that CBP, FEMA, and ICE have\n       implemented fewer than 70 percent of the required USGCB settings on their\n       Windows XP workstations, putting their machines at a greater risk of potential\n       exploitation. Components believe that once migration to Windows 7 is\n       complete, Windows XP will become obsolete. However, the majority of DHS\xe2\x80\x99\n       workstations are based on Windows XP operating systems, which Microsoft will\n       stop supporting in 2014. Further, while six components are migrating to\n       Windows 7, two components have not established an estimated completion date\n       for their Windows 7 migration. Figure 1 depicts component USGCB compliance\n       by operating system.\n\n\n\n\n                                         12\n\nwww.oig.dhs.gov\t                                                            OIG-13-04\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n                Figure 1. Component USGCB Compliance by Operating System11\n\n\n\n\n        \xe2\x80\xa2\t CBP has not established a standard USGCB baseline image for its Windows XP\n           and Windows 7 user workstations, resulting in an average USGCB compliance\n           of less than 50 percent. We reported a similar issue in our FY 2011 report.\n\n        \xe2\x80\xa2\t Results from our vulnerability scans on databases and servers indicated that\n           components are not applying security patches timely or implementing the\n           required security controls. Components included CBP, DHS HQ, FEMA, ICE,\n           TSA, NPPD, USCG, USCIS, and USSS. Deficiencies identified include:\n\n            \xef\xbf\xbd Missing security patches for operating systems, database applications,\n              and installed software, such as Adobe Flash, Adobe Acrobat, Java, and\n              Apache;\n\n            \xef\xbf\xbd Microsoft Server 2003 and 2008 servers running antivirus software with\n              definitions last updated in August 2011; and\n\n            \xef\xbf\xbd DHS databases that have accounts with default passwords, weak\n              password controls, missing software patches, excess user privileges, and\n              vulnerable functionality packages made available to users with the\n              \xe2\x80\x9cpublic\xe2\x80\x9d role.\n\n11\n  Due to workstation management controls, we were not able to evaluate the compliance of Windows XP\nworkstations at USSS. In addition, NPPD user workstations are managed under the DHS HQ local area\nnetwork.\n\n                                                13\n\nwww.oig.dhs.gov\t                                                                         OIG-13-04\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n        \xe2\x80\xa2\t Our security scans identified vulnerabilities in the six public-facing websites\n           at CBP, FEMA, ICE, NPPD, USCG, and USCIS. For example, we determined\n           that:\n\n            \xef\xbf\xbd Six websites have cross-site scripting vulnerabilities that could allow an\n              attacker to hijack user accounts, execute malicious scripts, or access\n              sensitive information.\n\n            \xef\xbf\xbd Two websites are vulnerable to structured query language injection\n              attacks that could allow an attacker to read, change, or delete\n              information from databases that support vulnerable websites.\n\n            \xef\xbf\xbd Two websites have accessible backup files, potentially allowing an \n\n              attacker to gain unauthorized knowledge of how the website is \n\n              constructed and use it to exploit weaknesses. \n\n\n            \xef\xbf\xbd Two websites have vulnerabilities related to logins sent over an\n              unencrypted connection or via unencrypted forms, potentially leading to\n              impersonation of a legitimate user or unauthorized access to information.\n\n        \xe2\x80\xa2\t We reported in June 2012 that, while FEMA had established a Windows XP\n           image based on USGCB settings, laptops in the field were not being configured\n           with the standard laptop image.12 As a result, our scan results from a\n           selection of laptops revealed an average of 55percent Windows XP\n           compliance.\n\n        See appendix E for the status of DHS\xe2\x80\x99 Configuration Management Program.\n\n        Incident Response and Reporting Program\n\n        DHS has established adequate incident detection, handling, and analysis\n        procedures. In addition, the number of all security incidents reported by the\n        DHS Security Operations Center (SOC) has increased by 1 percent, from 1,589 in\n        FY 2011 to 1,611 to FY 2012.13 However, there was an overall increase of\n\n\n\n\n12\n  ProgressfHasfBeenfMadefinfSecuringfLaptopsfandfWirelessfNetworksfatfFEMAf(OIG-12-93, June 2012).\n13\n  We evaluated the number of incidents reported by the SOC between October 1 and May 31 for both\nFY 2011 and FY 2012.\n\n                                                14\n\nwww.oig.dhs.gov\t                                                                          OIG-13-04\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n        30 percent for significant incidents reported to the DHS SOC.14 See figure 2 for\n        an overview of the incidents that were reported in FY 2012.\n\n                                 Figure 2. FY 2012 SOC Incident Summary\n\n\n\n\n        Progress\n\n        \xe2\x80\xa2\t DHS SOC conducts incident analysis and correlation to identify trends along\n           with supporting strategy and decision-making. The June 2012 DHS FISMA\n           Scorecard identified each component as having received a 100 percent SOC\n           and Log metric score.\n\n        Issues To Be Addressed\n\n        \xe2\x80\xa2\t During FY 2012, the Domestic Nuclear Detection Office, Office of Intelligence\n           and Analysis, Federal Law Enforcement Training Center, MGMT, NPPD, Office\n           of Operations Coordination and Planning, OIG, S&T, TSA, USCG, and USSS did\n           not consistently submit weekly incident reports to the DHS SOC, as required.\n\n        \xe2\x80\xa2\t Based on the June 2012 FISMA scorecard, S&T (52 percent) and USCG\n           (64 percent) received a score below 75 percent for the vulnerability\n\n14\n  A significant incident is defined as a computer security-related incident that represents a meaningful\nthreat to the DHS mission and requires immediate notification of leadership.\n\n                                                    15\n\nwww.oig.dhs.gov\t                                                                                OIG-13-04\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n           management metric, which evaluates components\xe2\x80\x99 ability to detect and\n           assess weaknesses in their information systems.\n\n       See appendix F for the status of DHS\xe2\x80\x99 Incident Response and Reporting Program.\n\n       Security Training Program\n\n       The CISO continues to operate an effective security training program. Specifically,\n       the CISO Training Office has established a process to validate components\xe2\x80\x99\n       security training and has implemented Information System Security Officer\n       (ISSO) and System Administrator (SA) role-based training courses. However, the\n       CISO is in the process of revising its role-based training program to ensure that\n       all personnel with significant security responsibilities receive appropriate training\n       content.\n\n       Progress\n\n       \xe2\x80\xa2\t During FY 2012, DHS began to revise its role-based training program.\n          Specifically, DHS is establishing a process that allows components to share\n          training work products, content, and opportunities via Microsoft SharePoint\n          for employees with similar significant security roles. As part of this effort,\n          DHS has identified more than 100 unique significant security roles across the\n          Department.\n       \xe2\x80\xa2\t During FY 2012, the number of ISSO role-based training courses provided by\n          DHS has increased from 8 in FY 2011 to 12 in FY 2012. In addition, the\n          number of SA courses offered has doubled from two in FY 2011 to four in\n          FY 2012.\n\n       Issues To Be Addressed\n\n       \xe2\x80\xa2\t As of August 2012, DHS is in the planning phase of using Microsoft\n          SharePoint to enhance its revised role-based training program. According to\n          CISO personnel, the implementation should be completed by FY 2013.\n\n       \xe2\x80\xa2\t As of July 2012, ISO (31 percent), S&T (38 percent), and USCG (42 percent)\n          are maintaining a completion percentage of 42 percent or below for\n          specialized training.\n\n       See appendix G for the status of DHS\xe2\x80\x99 Security Training Program.\n\n\n\n                                            16\n\nwww.oig.dhs.gov\t                                                                  OIG-13-04\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n        Remote Access Program\n\n\n        According to DHS policy, components are responsible for managing all remote\n        access and dial-in connections to their systems through the use of two-factor\n        authentication, providing audit capabilities, and protecting sensitive information\n        throughout transmission. We reviewed the remote access programs at CBP,\n        FEMA, ICE, TSA, USCG, USCIS, and USSS.\n\n        Overall, components utilizing remote access have developed policies to outline\n        the controls needed to protect remote connections and have implemented\n        mitigating security controls (multi-factor authentication, firewalls, virtual private\n        network concentrators, etc.) to protect against external threats.\n\n        See appendix I for the status of DHS\xe2\x80\x99 Remote Access Program.\n\n        Account and Identity Management Program\n\n        DHS has made progress in implementing an agency-wide system access\n        management program. However, DHS does not have a centralized capability to\n        identify users and devices connected to its systems. Specifically, components\n        are currently maintaining their own account and identity management programs.\n\n        Progress\n\n        \xe2\x80\xa2\t DHS has issued Homeland Security Presidential Directive 12 (HSPD-12)\n           PIV-compliant cards to all employees and contractors across the Department.\n\n        \xe2\x80\xa2\t On July 31, 2012, the Undersecretary for Management issued a memorandum\n           providing components with additional guidance regarding the use of\n           PIV-compliant cards to access DHS unclassified networks. Components are\n           required to develop an executable plan and allocate sufficient funding to\n           achieve full implementation.15\n\n        \xe2\x80\xa2\t Components have provided the DHS Identity, Credential, and Access Program\n           Management Office (ICAM PMO) with PIV card implementation plans, as\n           required.\n\n\n\n15\n  ImplementationfoffMandatoryfUsefoffthefPersonalfIdentityfVerificationf(PIV)fCardftofAccessfDHSf\nNetworks,fJuly 31, 2012.\n\n                                                   17\n\nwww.oig.dhs.gov\t                                                                              OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       \xe2\x80\xa2\t The ICAM PMO has reviewed component implementation plans to develop a\n          Department-wide PIV-enabled logical access plan, which includes milestones,\n          cost estimates, and technical requirements. Furthermore, the ICAM PMO\n          has issued concept of operations and other PIV user guidance.\n\n       \xe2\x80\xa2\t DHS has revised its Information Technology Acquisition Review process to\n          require components to include a PIV credential compliance clause when\n          procuring IT products, systems, services, hardware, or software.\n\n       Issues To Be Addressed\n\n       \xe2\x80\xa2\t DHS is not utilizing PIV-compliant cards to access its information systems, as\n          required by OMB. The Department\xe2\x80\x99s goal is to achieve 20 percent\n          compliance by the end of FY 2012, 50 percent by the end of FY 2013, and\n          75 percent by the end of FY 2014 for accessing components\xe2\x80\x99 local area\n          networks. However, DHS has not established milestones to address the use\n          of PIV cards to access its major applications.\n\n       \xe2\x80\xa2\t DHS has yet to employ HSPD-12-compliant cards to access its classified\n          systems. The National Security Systems Joint Program Management Office\n          has developed a department-wide implementation plan, which has not been\n          approved as of June 30, 2012. Further, the plan does not address PIV\n          credential access to stand-alone classified systems.\n\n       See appendix J for the status of DHS\xe2\x80\x99 Account and Identity Management\n       Program.\n\n       Continuous Monitoring Program\n\n       DHS has further improved the automated collection capability of its assets by\n       disseminating a standardized monthly feed template to components, developing\n       a parser to organize scan data, and providing installation and technical support\n       for components\xe2\x80\x99 data feed submissions. During FY 2012, the CISO performed 41\n       critical control reviews on selected information systems to ensure that key\n       controls have been implemented and to help components identify potential\n       weaknesses or vulnerabilities.\n\n       Progress\n\n       \xe2\x80\xa2\t The CISO conducts continuous monitoring working group meetings with the\n          components monthly. The focus of these meetings is to discuss the\n\n                                           18\n\nwww.oig.dhs.gov\t                                                                OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\n           Enterprise Continuous Monitoring Strategy Development status and monthly\n           data feed status and issues.\n\n       \xe2\x80\xa2\t As part of its effort to establish a robust, enterprise-wide continuous\n          monitoring program, DHS has revised its information security scorecard to\n          include an HSPD-12 PIV card logical access, monthly asset reporting, and SOC\n          log aggregation metrics to monitor components\xe2\x80\x99 progress.\n\n       Issues to Be Addressed\n\n       \xe2\x80\xa2\t DHS and its components have not established a real-time and fully\n          automated continuous monitoring capability to track all hardware and\n          network devices, external connections, and software associated with their\n          information systems.\n\n       \xe2\x80\xa2\t As of June 2012, five components (FEMA, ICE, S&T, USCG, and USCIS) have\n          scores of 75 percent or below for the overall information security.\n\n       \xe2\x80\xa2\t As of June 2012, DHS has not performed any critical control reviews on its\n          Top Secret systems.\n\n       See appendix K for the status of DHS\xe2\x80\x99 Continuous Monitoring Program.\n\n       Contingency Planning Program\n\n       DHS maintains an entity-wide business continuity and contingency planning\n       program. However, components have not complied with all of the Department\xe2\x80\x99s\n       contingency planning requirements.\n\n       Progress\n\n       \xe2\x80\xa2\t DHS has updated its policies and procedures for its continuity and\n          contingency planning program. Specifically, DHS has developed or updated\n          the following documents during FY 2012:\n\n           \xef\xbf\xbd DHSfTest,fTrainingfandfExercisef(TTE)fProgramfPlanf\xe2\x80\x93 January 2012\n           \xef\xbf\xbd DHSfHeadquartersfReconstitutionfPlan \xe2\x80\x93 March 5, 2012\n           \xef\xbf\xbd DHSfHeadquartersfContinuityfoffOperationsf(COOP)fPlan \xe2\x80\x93 June 4, 2012\n\n\n\n\n                                          19\n\nwww.oig.dhs.gov\t                                                              OIG-13-04\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n        \xe2\x80\xa2\t DHS has developed training, testing, and exercise approaches for its business\n           continuity and disaster recovery programs. For example, from March to\n           June 2012, DHS and its components participated in Federal Government\n           continuity exercises to test activation continuity plans, information sharing,\n           systems and procedures, and operational capabilities.\n\n        Issues To Be Addressed\n\n        \xe2\x80\xa2\t The DHSfContinuityfPlan is under development. According to a DHS Business\n           Continuity and Emergency Preparedness Branch official, the plan will be\n           completed by September 2012.\n\n        \xe2\x80\xa2\t Our review of 25 security authorization packages revealed that contingency\n           plans and/or testing reports for 6 systems are missing certain elements,\n           including the identification of alternate processing facilities, or restoration\n           procedures. In addition, one contingency plan is not up-to-date. As part of\n           the Department\xe2\x80\x99s overall contingency planning and disaster recovery efforts,\n           DHS requires an IT contingency plan be developed for all IT systems, detailing\n           how the system will be recovered in the event of an emergency or disaster.\n\n        See appendix L for the status of DHS\xe2\x80\x99 Contingency Planning Program.\n\n        Security Capital Planning Program\n\n        DHS continues to base its Capital Planning and Investment Control (CPIC) process\n        on OMB\xe2\x80\x99s Circular A-11, Part 7 - Planning,fBudgeting,fAcquisition,fandf\n        ManagementfoffCapitalfAssets, which defines the policies for planning, budgeting,\n        acquiring, and managing Federal capital assets.16 The DHS CPIC Guide provides\n        components with policies and procedures for selecting, monitoring, and\n        evaluating the Department\xe2\x80\x99s IT and non-IT investments to ensure that each\n        investment is successfully managed, cost-effective, and supports DHS\xe2\x80\x99 mission\n        and strategic goals.17 In addition, as part of its Information Technology\n        Acquisition Review process, the Chief Information Officer reviews any proposed\n        IT acquisition of $2.5 million and above. Finally, DHS has developed an automated\n        process to ensure that the Department\xe2\x80\x99s IT and non- IT investments are\n        successfully managed, cost-effective, and support its mission and strategic goals.\n\n16\n   OMB\xe2\x80\x99s Circular A-11, Part 7 \xe2\x80\x93 Planning,fBudgeting,fAcquisition,fandfManagementfoffCapitalfAssets, \n\nJune 2008.\n\n17\n   DepartmentfoffHomelandfSecurityfCapitalfPlanningfandfInvestmentfControlf(CPIC)fGuide, version 7.1, \n\nAugust 2010.\n\n\n                                                   20\n\nwww.oig.dhs.gov\t                                                                              OIG-13-04\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n\n       See appendix N for the status of DHS\xe2\x80\x99 Security Capital Planning Program.\n\n       Recommendations\n\n       We recommend that the CISO:\n\n       Recommendation #1:\n\n       Establish a process to ensure that USGCB settings are implemented and\n       maintained at components.\n\n       Recommendation #2:\n\n       Strengthen the ISO review process to ensure that all applicable controls are\n       included in the security documentation when authorizing systems.\n\n       Recommendation #3:\n\n       Improve the process to ensure that DHS baseline configuration settings are\n       implemented and maintained on components\xe2\x80\x99 information systems. The process\n       should include testing and the use of automated tools and security templates.\n\n       Recommendation #4:\n\n       Strengthen the ISO review process to ensure that POA&Ms, including those for\n       classified systems, are complete and current.\n\n       Recommendation #5:\n\n       Enhance the Department\xe2\x80\x99s revised role-based training program to ensure that\n       appropriate role-based training is provided to enable all individuals with\n       significant security responsibilities to perform their required security functions.\n\n       Recommendation #6:\n\n       Establish a process to ensure that security patches and service packs are applied\n       timely and effective controls are implemented on components\xe2\x80\x99 databases and\n       servers.\n\n\n\n                                            21\n\nwww.oig.dhs.gov                                                                   OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       Management Comments and OIG Analysis\n       Management Comments to Recommendation #1\n\n       DHS concurred with recommendation 1. The DHS FY 2013 Information Security\n       Scorecard will be utilizing continuous monitoring data feeds from component\n       tools to monitor the implementation of USGCB settings. The Scorecard will be\n       used to communicate progress in addressing gaps and to ensure continued\n       compliance. Estimated completion date: December 31, 2012.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin to satisfy this\n       recommendation. This recommendation will remain open until DHS provides\n       supporting documentation that all planned corrective actions are completed.\n\n       Management Comments to Recommendation #2\n\n       DHS concurred with recommendation 2. The Department provides an enterprise\n       security authorization tool to ensure the required security controls and\n       documentation are completed. The tool will be revised with improved,\n       streamlined templates and controls to increase the quality of security packages\n       reviewed by the ISO Document Review Team.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin to satisfy this\n       recommendation. This recommendation will remain open until DHS provides\n       supporting documentation that all planned corrective actions are completed.\n\n       Management Comments to Recommendation #3\n\n       DHS concurred with recommendation 3. The DHS FY 2013 Information Security\n       Scorecard will utilize continuous monitoring data feeds from component tools to\n       monitor the implementation of USGCB settings. The Scorecard will be used to\n       communicate progress in addressing gaps and to ensure continued compliance.\n       The continuous monitoring capabilities can be customized by components to\n       monitor their individual baseline control templates. Estimated completion date:\n       December 31, 2012.\n\n\n\n                                           22\n\nwww.oig.dhs.gov                                                                  OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin to satisfy this\n       recommendation. This recommendation will remain open until DHS provides\n       supporting documentation that all planned corrective actions are completed.\n\n       Management Comments to Recommendation #4\n\n       DHS concurred with recommendation 4. The ISO continues to strengthen the\n       POA&M review process to ensure POA&Ms, including those for classified\n       systems, are complete and current. ISO has begun closely tracking components\xe2\x80\x99\n       progress towards POA&M completion and contacting components when POA&M\n       indicators show inadequate progress. Additionally, ISO has begun educating\n       components on methods within the DHS compliance tool for checking POA&M\n       completeness and monitoring milestone progress so that timely revisions can be\n       made to POA&Ms not meeting expectations.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin to satisfy this\n       recommendation. This recommendation will remain open until DHS provides\n       supporting documentation that all planned corrective actions are completed.\n\n       Management Comments to Recommendation #5\n\n       DHS concurred with recommendation 5. The ISO is developing sample\n       courseware and identifying pre-existing federally available courseware to\n       supplement existing component role-based training programs. In conjunction\n       with component training coordinators, plans are being developed to ensure\n       minimum standards can be deployed in a more consistent manner across the\n       Department.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin to satisfy this\n       recommendation. This recommendation will remain open until DHS provides\n       supporting documentation that all planned corrective actions are completed.\n\n       Management Comments to Recommendation #6\n       DHS concurred with recommendation 6. The DHS FY 2013 Information Security\n       Scorecard will utilize continuous monitoring data feeds from component tools to\n\n                                           23\n\nwww.oig.dhs.gov                                                                  OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       monitor security patching of databases and servers. The Scorecard will be used\n       to communicate progress in addressing gaps and to ensure continued\n       compliance. Estimated completion date: December 31, 2012.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin to satisfy this\n       recommendation. This recommendation will remain open until DHS provides\n       supporting documentation that all planned corrective actions are completed.\n\n\n\n\n                                           24\n\nwww.oig.dhs.gov                                                                  OIG-13-04\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nAppendix A\nObjectives, Scope, and Methodology\nThe DHS OIG was established by the HomelandfSecurityfActfoff2002 (Public Law\n107- 296) by amendment to the InspectorfGeneralfActfoff1978. This is one of a series of\naudit, inspection, and special reports prepared as part of our oversight responsibilities\nto promote economy, efficiency, and effectiveness within the Department.\n\nThe objective of this review was to determine whether DHS has developed adequate\nand effective information security policies, procedures, and practices, in compliance\nwith FISMA. In addition, we evaluated DHS\xe2\x80\x99 progress in developing, managing, and\nimplementing its information security program.\n\nOur independent evaluation focused on DHS\xe2\x80\x99 information security program, the\nrequirements outlined in FISMA, and draft FY 2012 FISMA reporting metrics dated\nMarch 2012. We conducted our fieldwork at the departmental level and at DHS\xe2\x80\x99\norganizational components and offices, including CBP, DHS HQ, FEMA, ICE, NPPD, S&T,\nTSA, USCG, USCIS, and USSS.\n\nIn addition, we conducted reviews of DHS\xe2\x80\x99 information systems and security\nprogram-related areas throughout FY 2012. This report includes the results of a limited\nnumber of systems evaluated during the year and our ongoing financial statement\nreview.\n\nAs part of our evaluation of DHS\xe2\x80\x99 compliance with FISMA, we assessed DHS and its\ncomponents with the security requirements mandated by FISMA and other Federal\ninformation security policies, procedures, standards, and guidelines. Specifically, we\n(1) used last year\xe2\x80\x99s FISMA independent evaluation as a baseline for this year\xe2\x80\x99s\nevaluation; (2) reviewed policies, procedures, and practices that DHS has implemented\nat the program and component levels; (3) reviewed DHS\xe2\x80\x99 POA&M process to ensure that\nall security weaknesses are identified, tracked, and addressed; (4) reviewed the\nprocesses and status of the Department-wide information security program, including\nsystem inventory, risk management, configuration management, incident response and\nreporting, security training, remote access, identity and access management,\ncontinuous monitoring, contingency planning, and security capital planning; and,\n(5) developed our independent evaluation of DHS\xe2\x80\x99 information security program.\n\nWe reviewed the quality of security authorization packages for a sample of 25 systems\nat CBP, DHS HQ, FEMA, ICE, NPPD, S&T, TSA, USCG, USCIS, and USSS to ensure that all of\nthe required documents were completed prior to system authorization. In addition, we\n\n                                           25\n\nwww.oig.dhs.gov                                                                 OIG-13-04\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\nevaluated the implementation of DHS\xe2\x80\x99 baseline configurations for 24 systems as well as\nthe use of industry standard best standards for securing 9 databases and 6 public-facing\ncomponent websites at CBP, FEMA, ICE, NPPD, USCG, and USCIS. We also reviewed the\nUSGCB settings on user workstations at these components.\n\nWe conducted this review between April and August 2012 under the authority of the\nInspectorfGeneralfActfoff1978, as amended, and according to the Quality Standards for\nInspections issued by the Council of the Inspectors General on Integrity and Efficiency.\n\n\n\n\n                                           26\n\nwww.oig.dhs.gov                                                                 OIG-13-04\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\nAppendix B\nManagement Comments to the Draft Report\n\n\n\n                                                                             U.S. ~putmUlt of Romdand Sec:urity\n                                                                             Washingmn, DC 20528\n\n\n\n                                                                               Homeland\n                                                                               Security\n                                                October 1,2012\n\n\n           MEMORANDUM FOR:               Frank W. DefIer\n                                         Assistant lnspector Genera1\n                                         Infonnation Technology Audits\n\n           FROM:                         Jim ll. Crumpack,\\     ~\n                                         Director         ATr\n                                         Departmental GA4j6!l\\;WSO ce\n\n           SUBJECT:                      Draft OIG Draft Report: "Evaluation of DHS\' Infonnation\n                                         Security ProgrdID for Fiscal Year 2012"\n                                         (OIG Project No. 12-017-ITA-MGMT)\n\n\n           Thank: you for the opportunity to review and comment on this draft report. The U.S. Department\n           ofHomcland Security (DHS) apprec..;ates the Office of Inspector General\'s (O[G\'s) work in\n           conducting its review and issuing this report.\n\n           We are pleased to note the OIG\'s positive recognition that the Department continues to improve\n           and strengthen its security program. As noted in the report, we have taken actions to address the\n           Administration\'s cybcrsccurity priorities, which include implementation of trust cd internet\n           connections. continuously monitoring the Department\'s information systems, and employing\n           persona] identity verification compliant credentials to improve logical access for its systems.\n           Additionally. we developed and implemented the Fiscal Year 2012 Information Securiry\n           Performance Plan which contains several key elements that are indicative of a strong security\n           program, such as plans of action and milestones weakness remediation.\n\n           The draft report contained six recommendaLions with which the Department concurs.\n           Specifically. the OIa recommended that the Office of Chief information Security Officer:\n\n           Recommendation]: Establish a process to ensure that USGCB settings are impJementt:d and\n           maintained at components.\n\n           Response: Concur. lbe DHS Fiscal Ycar (FY) 2013 Information Security Scorecard will be\n           utilizing continuous monitoring dam feeds from Component tools to monitor the implementation\n           of United States Government Configuration Baseline (USGCB) settings. The Scorecard will be\n           used to communicate progress in addressing gaps and to ensure continued compliance.\n           Estimated Completion Date (ECD): December 31,20 12\n\n\n\n\n                                                        27\n\nwww.oig.dhs.gov                                                                                                   OIG-13-04\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n\n           Reco mmendation 2: Strengthen the ISO review process to ensure that all applicable controls\n           are included in the security documentation when authorizing systems.\n\n           Response: Concur. The Department provides an enterprise security authorization too] to ensure\n           the required security controls and docwnentatioo arc completed. The tool will be revised with\n           improved, streamlined templates and controls to increase the quality of security packages\n           reviewed by the [nformation Security Office OSO) Document Review Team.\n\n           Recommenda tion 3: Improve the process to ensure that DHS baseline configuration settings\n           are impJemented and maintained on components\' information systems. The process should\n           include testing and the usc of automated tools and security teroplates.\n\n           Response: Concur. The DHS FY 20 13 lnfonnation Security Scorecard will utilize continuous\n           monitoring data feeds from Component tools to monitor the implementation of USGCB seltings.\n           The Scorecard will be used to communicate progress in addressing gaps and to ensure continued\n           compliance. The continuous monitoring capabilities can be customized by Components to\n           monitor their individual baseline control templates. ECD: December 31, 2012\n\n           Recommendation 4: Strengthen the ISO review process to ensure: that POA&Ms, including\n           those for classified systems, are complctc and current.\n\n           Response: Concur. The ISO continues to strengthen the Plan of Action and Milestones\n           (pOA&t\'A) review process to ensure POA&Ms, including those for classified systems, are\n           complete and current. ISO has begun closely tracking Components\' progress towards POA&M\n           completion and contacting Components when POA&M indicators show inadequate progress.\n           Additionally, ISO has begun educating Components on methods within thc DHS compliance tool\n           for checking POA&"\\1 completeness and monitoring milestone progress so that tim"ly T"visions\n           can be made to POA&Ms not meeting expectations.\n\n           Recommendation 5: Enhance the Department\'s revised role-based training program to ensure\n           that appropriate role-based training is provided to enable all individuals with significant security\n           responsibilities to perform their required security functions.\n\n           Response: Concur. The ISO is developing sample courseware and identifying pre-existing\n           federally available courseware to supplement existing Component role-based training programs .\n           .In conjunction with Component training coordinators, plans are being developed to CDSUre\n           minimum standards can be deployed in a more consistent manner across the Department.\n\n           Recommendation 6: Establish a process to ensure that security patches and service packs are\n           applied timely and effective controls are implemented on components\' databases and servers.\n\n           Response: ConClD\'. The DRS FY 2013 lnfonnation Security Scorecard will utilize continuous\n           monitoring data feeds from Component tools to monitor security parching of databases and\n           serven;. The Scorecard will be used to communicate progress in addressing gaps and to ensure\n           continued compliance. ECD: December 31 > 2012\n\n\n\n                                                                                                              2\n\n\n\n\n                                                          28\n\nwww.oig.dhs.gov                                                                                                   OIG-13-04\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n\n\n           Again, thank you for the opportunity to review and comment on this draft report. Technical\n           comments were submitted previously under separate cover. Please feel free to contact me if you\n           have any questions. We look forward to working with you in the future.\n\n\n\n\n                                                                                                        3\n\n\n\n\n                                                       29\n\nwww.oig.dhs.gov                                                                                             OIG-13-04\n\n\x0c                                                       OFFICE OF INSPECTOR GENERAL\n                                                             Department of Homeland Security\n\n\n Appendix C\n System Inventory\n\n                                                              Question 1: System Inventory\n1. Identify the number of agency and contractors\xe2\x80\x99 systems by component and FIPS 199 impact level (low, moderate, high). Please also identify the\nnumber of systems that are used by your agency but owned by another Federal agency (i.e., ePayroll, etc.) by component and FIPS 199 impact level.\n                          Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems identified by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and\npercentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency\nplan tested in accordance with policy.\n                                             Question 1                                                                 Question 2\n                                       a.                   b.                      c.                  a.                   b.                   c.\n                                 Agency Systems         Contractor           Total Number of        Number of            Number of           Number of\n                                                         Systems                Systems          systems certified      systems for         systems for\n                                                                              (Agency and         and accredited       which security           which\n                                                                               Contractor                              controls have        contingency\n                                                                                systems)                              been tested and     plans have been\n                                                                              (Column A +                             reviewed in the         tested in\n                                                                               Column B)                                 past year        accordance with\n                                                                                                                                                policy\n\n                  FIPS 199\n                                                                                       Total\n                   System                  Number                Number     Total                 Total    Percent     Total   Percent     Total   Percent\nBureau Name                     Number               Number                           Number\n                   Impact                 Reviewed              Reviewed   Number                Number    of Total   Number   of Total   Number   of Total\n                                                                                     Reviewed\n                    Level\n     CBP            High          17          1          0         0          17         1          17      100%        16        94%       14       82%\n                  Moderate        65          8          2         0          67         8          63       94%        59        88%       55       82%\n                     Low           1          0          0         0           1         0           1      100%         1       100%        1      100%\n                     Not\n                                   3          0          0         0            3        0          1       33%         1        33%        1       33%\n                 Categorized\n                  Sub-total       86          9          2         0          88         9          82      93%         77       88%        71      81%\n\n\n\n\n                                                                           30\n www.oig.dhs.gov                                                                             OIG-13-04\n\x0c                                       OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n DHS HQ             High      11   2   4          0       15       2          14   93%    7    47%    14   93%\n                  Moderate    21   0   11         3       32       3          29   91%    13   41%    30   94%\n                    Low       1    0   3          0        4       0          4    100%   2    50%    4    100%\n                  Not\n                              1    0   3          0        4       0          3    75%    1    25%    0    0%\n              Categorized\n                  Sub-total   34   2   21         3       55       5          50   91%    23   42%    48   87%\n  FEMA           High         20   4    2         0       22       4          18    82%   18   82%    13   59%\n               Moderate       37   2   13         0       50       2          40    80%   40   80%    39   78%\n                 Low           3   0    0         0        3       0           3   100%    2   67%     2   67%\n                  Not\n                              10   0   0          0       10       0          6    60%    6    60%    5    50%\n              Categorized\n               Sub-total      70   6   15         0       85       6          67   79%    66   78%    59   69%\n  FLETC          High          0   0    0         0        0       0           0     -     0     -     0     -\n               Moderate       11   0    2         0       13       0          12   92%    10   77%    12   92%\n                 Low           0   0    0         0        0       0           0     -     0     -     0     -\n                  Not\n                              0    0   0          0        0       0          0     -     0     -     0     -\n              Categorized\n               Sub-total      11   0   2          0       13       0          12    92%   10    77%   12    92%\n   ICE           High         11   2    1         1       12       3          12   100%   12   100%   11    92%\n               Moderate       38   1   12         1       50       2          48    96%   30    60%   49    98%\n                 Low           2   0    0         0        2       0           2   100%    2   100%    2   100%\n                  Not\n                              1    0   0          0        1       0          1    100%   1    100%   1    100%\n              Categorized\n               Sub-total      52   3   13         2       65       5          63   97%    45   69%    63   97%\n  NPPD           High          7   1    6         1       13       2          13   100%   13   100%   12   92%\n               Moderate        7   0   11         1       18       1          18   100%   16    89%   16   89%\n                 Low           1   0    6         1        7       1           6    86%    6    86%    6   86%\n                  Not\n                              3    1   0          0        3       1          3    100%   3    100%   2    67%\n              Categorized\n               Sub-total      18   2   23         3       41       5          40    98%   38   93%    36    88%\n   OIG           High          2   0    0         0        2       0           2   100%    1   50%     2   100%\n               Moderate       0    0   0          0       0        0           0     -     0     -     0     -\n\n\n\n                                                        31\n\nwww.oig.dhs.gov                                                        OIG-13-04\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                           Department of Homeland Security\n\n                 Low         0    0   0          0        0       0          0      -     0     -     0     -\n                  Not\n                             1    0   0          0        1       0          1     100%   0    0%     0    0%\n              Categorized\n               Sub-total    3     0   0          0        3       0           3    100%    1   33%     2   67%\n   S&T           High        2    0    0         0        2       0           1     50%    1   50%     1   50%\n               Moderate     13    1   13         0       26       1          26    100%   22   85%    23   88%\n                 Low         2    0    1         0        3       0           2     67%    0   0%      2   67%\n                  Not\n                             2    0   0          0        2       0          1     50%    0    0%     1    50%\n              Categorized\n               Sub-total    19    1   14         0       33       1          30     91%   23   70%    27   82%\n   TSA           High       24    1    1         0       25       1          25    100%   24   96%    24   96%\n               Moderate     30    2   13         1       43       3          43    100%   39   91%    40   93%\n                 Low         6    0    2         0        8       0           8    100%    7   88%     7   88%\n                  Not\n                             4    1   0          0        4       1          4     100%   4    100%   3    75%\n              Categorized\n               Sub-total    64    4   16         1       80       5          80    100%   74   93%    74   93%\n  USCG           High        9    1    5         1       14       2          13     93%   13   93%    13   93%\n               Moderate     67    3   20         0       87       3          67     77%   51   59%    60   69%\n                 Low         7    1    2         0        9       1           4     44%    6   67%     6   67%\n                  Not\n                            35    3   0          0       35       3          33    94%    16   46%    7    20%\n              Categorized\n               Sub-total    118   8   27         1       145      9          117    81%   86   59%    86   59%\n  USCIS          High         4   1    6         0        10      1          10    100%    3   30%     0   0%\n               Moderate      21   0   16         3        37      3          24     65%   21   57%    16   43%\n                 Low          1   0    3         0         4      0           4    100%    2   50%     2   50%\n                  Not\n                             2    0   0          0        2       0          1     50%    1    50%    1    50%\n              Categorized\n               Sub-total    28    1   25         3       53       4          39     74%   27    51%   19   36%\n  USSS           High        5    1    0         0        5       1           5    100%    5   100%    4   80%\n               Moderate      8    2    0         0        8       2           8    100%    8   100%    6   75%\n                 Low         0    0    0         0        0       0           0      -    0      -    0      -\n\n\n\n\n                                                       32\n\nwww.oig.dhs.gov                                                       OIG-13-04\n\x0c                                         OFFICE OF INSPECTOR GENERAL\n                                               Department of Homeland Security\n\n                    Not\n                               1    0     0          0        1       0           1    100%    1    100%    1    100%\n                Categorized\n                 Sub-total    14    3     0          0       14        3         14    100%   14    100%   11    79%\nAgency Totals      High       112   14   25          3       137      17         130    95%   113    82%   108   79%\n                 Moderate     318   19   113         9       431      28         378    88%   309    72%   346   80%\n                   Low        24     1   17          1       41        2         34    83%    28     68%   32    78%\n                    Not\n                              63    5    3           0       66       5          55    83%    34    52%    22    33%\n                Categorized\n                   Total      517   39   158         13      675      52         597   88%    484   72%    508   75%\n\n\n\n\n                                                           33\n\n www.oig.dhs.gov                                                           OIG-13-04\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n                                         Department of Homeland Security\n\n\n      Appendix D\n      Status of Risk Management Program\n\n                                Section 2: Status of Risk Management Program\n                                                                                                              Response:\n\n1. Check one:\n A. The Agency has established and is maintaining a risk management program that is consistent with\n    FISMA requirements, OMB policy, and applicable NIST guidelines. Although improvement\n    opportunities may have been identified by the OIG, the program includes the following attributes:\n    1. Documented and centrally accessible policies and procedures for risk management, including\n        descriptions of the roles and responsibilities of participants in this process.\n    2. Addresses risk from an organization perspective with the development of a comprehensive\n        governance structure and organization-wide risk management strategy as described in NIST\n        800-37, Rev. 1.\n    3. Addresses risk from a mission and business process perspective and is guided by the risk\n        decisions at the organizational perspective, as described in NIST 800-37, Rev.1.\n    4. Addresses risk from an information system perspective and is guided by the risk decisions at\n        the organizational perspective and the mission and business perspective, as described in NIST\n        800-37, Rev. 1.\n    5. Categorizes information systems in accordance with government policies.\n    6. Selects an appropriately tailored set of baseline security controls.\n    7. Implements the tailored set of baseline security controls and describes how the controls are\n        employed within the information system and its environment of operation.\n    8. Assesses the security controls using appropriate assessment procedures to determine the\n        extent to which the controls are implemented correctly, operating as intended, and producing             \xef\xbf\xbd\n        the desired outcome with respect to meeting the security requirements for the system.\n    9. Authorizes information system operation based on a determination of the risk to\n        organizational operations and assets, individuals, other organizations, and the Nation resulting\n        from the operation of the information system and the decision that this risk is acceptable.\n    10. Ensures information security controls are monitored on an ongoing basis including assessing\n        control effectiveness, documenting changes to the system or its environment of operation,\n        conducting security impact analyses of the associated changes, and reporting the security state\n        of the system to designated organizational officials.\n    11. Information system specific risks (tactical), mission/business specific risks and organizational\n        level (strategic) risks are communicated to appropriate levels of the organization.\n    12. Senior Officials are briefed on threat activity on a regular basis by appropriate personnel. (e.g.,\n        CISO).\n    13. Prescribes the active involvement of information system owners and common control\n        providers, chief information officers, senior information security officers, authorizing officials,\n        and other roles as applicable in the ongoing management of information system-related\n        security risks.\n    14. Security authorization package contains system security plan, security assessment report, and\n        POA&M in accordance with government policies.\n    15. Security authorization package contains Accreditation boundaries for Agency information\n        systems defined in accordance with government policies.\n\n\n                                                          34\n\n      www.oig.dhs.gov                                                                                  OIG-13-04\n\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n                                         Department of Homeland Security\n\n\n    B. The Agency has established and is maintaining a risk management program. However, the\n       Agency needs to make significant improvements as noted below.\n    C. The Agency has not established a risk management program.\n\n2. If B. is checked above, check areas that need significant improvement:\n      a. Risk Management policy is not fully developed.\n      b. Risk Management procedures are not fully developed, sufficiently detailed (SP 800-37,\n           SP 800-39, SP 800-53).\n      c. Risk Management procedures are not consistently implemented in accordance with\n           government policies (SP 800-37, SP 800-39, SP 800-53).\n      d. A Comprehensive governance structure and Agency-wide risk management strategy has not\n           been fully developed in accordance with government policies (SP 800-37, SP 800-39, SP\n           800-53).\n      e. Risks from a mission and business process perspective are not addressed (SP 800-37,\n           SP 800-39, SP 800-53).\n      f. Information systems are not properly categorized (FIPS-199/SP 800-60).\n      g. Appropriately tailored baseline security controls are not applied to information systems in\n           accordance with government policies (FIPS-200/SP 800-53).\n      h. Risk assessments are not conducted in accordance with government policies (SP 800-30).\n      i. Security control baselines are not appropriately tailored to individual information systems in\n           accordance with government policies (SP 800-53).\n      j. The communication of information system specific risks, mission/business specific risks and\n           organizational level (strategic) risks to appropriate levels of the organization is not in\n           accordance with government policies.\n      k. The process to assess security control effectiveness is not in accordance with government\n           policies (SP800-53A).\n      l. The process to determine risk to agency operations, agency assets, or individuals, or to\n           authorize information systems to operate is not in accordance with government policies\n           (SP 800-37).\n      m. The process to continuously monitor changes to information systems that may necessitate\n           reassessment of control effectiveness is not in accordance with government policies\n           (SP 800-37).\n      n. Security plan is not in accordance with government policies (SP 800-18, SP 800-37).\n      o. Security assessment report is not in accordance with government policies (SP 800-53A,\n           SP 800-37).\n      p. Accreditation boundaries for agency information systems are not defined in accordance with\n           government policies.\n      q. Other\n      r. Explanation for Other\n\n\n                     \xe2\x80\xa2 DHS bases its risk management program on NIST SP 800-37, Revision 1, GuidefforfApplyingfthef\n                      RiskfManagementfFrameworkftofFederalfInformationfSystems:fAfSecurityfLifefCyclefApproach\n                      and incorporated the security authorization process into the DHSfSensitivefSystemsfPolicyf\n3. Comments:\n                      Directivef4300A for its unclassified systems. For national security systems, components follow\n                      the Defense Information Assurance Certification and Accreditation Process and DHS Sensitive\n                      Systems Policy Directive 4300B policy.\n\n\n\n\n                                                         35\n\n      www.oig.dhs.gov                                                                                OIG-13-04\n\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n                                         Department of Homeland Security\n\n\n      Appendix E\n      Status of Configuration Management Program\n\n                          Section 3: Status of Configuration Management Program\n                                                                                                           Response:\n4. Check one:\n A. The Agency has established and is maintaining a security configuration management program\n    that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines. Although\n    improvement opportunities may have been identified by the OIG, the program includes the\n    following attributes:\n    1. Documented policies and procedures for configuration management.\n    2. Standard baseline configurations defined.\n    3. Assessing for compliance with baseline configurations.\n    4. Process for timely, as specified in agency policy or standards, remediation of scan result\n         deviations.\n    5. For Windows-based components, FDCC/USGCB secure configuration settings fully\n         implemented and any deviations from FDCC/USGCB baseline settings fully documented.\n    6. Documented proposed or actual changes to hardware and software configurations.\n    7. Process for timely and secure installation of software patches.\n    8. Software assessing (scanning) capabilities are fully implemented.\n    9. Configuration-related vulnerabilities, including scan findings, have been remediated in a\n         timely manner, as specified in Agency policy or standards.\n    10. Patch management process is fully developed, as specified in Agency policy or standards.\n B. The Agency has established and is maintaining a security configuration management program.\n    However, the Agency needs to make significant improvements as noted below.                                \xef\xbf\xbd\n\n C. The Agency has not established a security configuration management program.\n\n5. If B. is checked above, check areas that need significant improvement:\n      a. Configuration management policy is not fully developed (NIST 800-53: CM-1).\n      b. Configuration management procedures are not fully developed (NIST 800-53: CM-1).\n      c. Configuration management procedures are not consistently implemented (NIST 800-53:\n           CM-1).\n      d. Standard baseline configurations are not identified for software components (NIST 800-53:\n           CM-2).\n      e. Standard baseline configurations are not identified for all hardware components\n           (NIST 800-53: CM-2).                                                                               g\n      f. Standard baseline configurations are not fully implemented (NIST 800-53: CM-2).\n      g. FDCC/USGCB is not fully implemented (OMB) and/or all deviations are not fully documented\n           (NIST 800-53: CM-6).\n      h. Software assessing (scanning) capabilities are not fully implemented (NIST 800-53: RA-5, SI-2).\n      i. Configuration-related vulnerabilities, including scan findings, have not been remediated in a\n           timely manner, as specified in agency policy or standards. (NIST 800-53: CM-4, CM-6, RA-5,\n           SI-2).\n\n\n\n                                                         36\n\n      www.oig.dhs.gov                                                                                OIG-13-04\n\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                        Department of Homeland Security\n\n    j. Patch management process is not fully developed, as specified in agency policy or standards.\n       (NIST 800-53: CM-3, SI-2).\n    k. Other\n    l. Explanation for Other\n                                                                                                       - Website\n                                                                                                       industry\n                                                                                                       standard\n                                                                                                       best\n6. Identify baselines reviewed:                                                                        practices\n     a. Software Name\n     b. Software Version                                                                               - Database\n                                                                                                       industry\n                                                                                                       standard\n                                                                                                       best\n                                                                                                       practices\n\n\n                      \xe2\x80\xa2 Based on our review of 27 systems, we determined that DHS components had not fully\n                        configured databases and components\xe2\x80\x99 public-facing websites based on industry standard best\n7. Comments:            practices.\n                      \xe2\x80\xa2 DHS HQ, TSA, USCG, and USCIS implemented more than 85 percent of USGCB configuration\n                        settings on their workstations.\n\n\n\n\n                                                        37\n\n         www.oig.dhs.gov                                                                          OIG-13-04\n\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\n      Appendix F\n      Status of Incident Response and Reporting Program\n\n                        Section 4: Status of Incident Response & Reporting Program\n                                                                                                       Response:\n8. Check one:\n A. The Agency has established and is maintaining an incident response and reporting program that is\n    consistent with FISMA requirements, OMB policy, and applicable NIST guidelines. Although\n    improvement opportunities may have been identified by the OIG, the program includes the\n    following attributes:\n    1. Documented policies and procedures for detecting, responding to and reporting incidents.\n    2. Comprehensive analysis, validation and documentation of incidents.\n    3. When applicable, reports to US-CERT within established timeframes.                                  \xef\xbf\xbd\n    4. When applicable, reports to law enforcement within established timeframes.\n    5. Responds to and resolves incidents in a timely manner, as specified in agency policy or\n         standards, to minimize further damage.\n    6. Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.\n    7. Is capable of correlating incidents.\n    8. There is sufficient incident monitoring and detection coverage in accordance with government\n         policies.\n B. The Agency has established and is maintaining an incident response and reporting program.\n    However, the Agency needs to make significant improvements as noted below.\n C. The Agency has not established an incident response and reporting program.\n\n9. If B. is checked above, check areas that need significant improvement:\n     a. Incident response and reporting policy is not fully developed (NIST 800-53: IR-1).\n     b. Incident response and reporting procedures are not fully developed or sufficiently detailed\n           (NIST 800-53: IR-1).\n     c. Incident response and reporting procedures are not consistently implemented in accordance\n           with government policies (NIST 800-61, Rev1).\n     d. Incidents were not identified in a timely manner, as specified in agency policy or standards\n           (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n     e. Incidents were not reported to US-CERT as required (NIST 800-53, 800-61, and OMB\n           M-07-16, M-06-19).\n     f. Incidents were not reported to law enforcement as required (SP 800-86).\n     g. Incidents were not resolved in a timely manner (NIST 800-53, 800-61, and OMB M-07-16,\n           M-06-19).\n     h. Incidents were not resolved to minimize further damage (NIST 800-53, 800-61, and OMB\n           M-07-16, M-06-19).\n     i. There is insufficient incident monitoring and detection coverage in accordance with\n           government policies (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n     j. The agency cannot or is not prepared to track and manage incidents in a virtual/cloud\n           environment.\n     k. The agency does not have the technical capability to correlate incident events.\n     l. Other\n     m. Explanation for Other\n                                                        38\n\n      www.oig.dhs.gov                                                                             OIG-13-04\n\n\x0c                       OFFICE OF INSPECTOR GENERAL\n                        Department of Homeland Security\n\n\n\n\n10. Comments:\n\n\n\n\n\n                                    39\n\n     www.oig.dhs.gov                                      OIG-13-04\n\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n                                         Department of Homeland Security\n\n\n      Appendix G\n      Status of Security Training Program\n\n                                Section 5: Status of Security Training Program\n                                                                                                          Response:\n11. Check one:\n A. The Agency has established and is maintaining a security training program that is consistent with\n     FISMA requirements, OMB policy, and applicable NIST guidelines. Although improvement\n     opportunities may have been identified by the OIG, the program includes the following\n     attributes:\n     1. Documented policies and procedures for security awareness training.\n     2. Documented policies and procedures for specialized training for users with significant\n          information security responsibilities.\n     3. Security training content based on the organization and roles, as specified in agency policy or      \xef\xbf\xbd\n          standards.\n     4. Identification and tracking of the status of security awareness training for all personnel\n          (including employees, contractors, and other agency users) with access privileges that\n          require security awareness training.\n     5. Identification and tracking of the status of specialized training for all personnel (including\n          employees, contractors, and other agency users) with significant information security\n          responsibilities that require specialized training.\n     6. Training material for security awareness training does not contain appropriate content for\n          The Agency.\n B. The Agency has established and is maintaining a security training program. However, the Agency\n     needs to make significant improvements as noted below.\n C. The Agency has not established a security training program.\n\n\n\n\n                                                         40\n\n      www.oig.dhs.gov                                                                                OIG-13-04\n\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n                                         Department of Homeland Security\n\n12. If B. is checked above, check areas that need significant improvement:\n     a. Security awareness training policy is not fully developed (NIST 800-53: AT-1).\n     b. Security awareness training procedures are not fully developed and sufficiently detailed\n          (NIST 800-53: AT-1).\n     c. Security awareness training procedures are not consistently implemented in accordance\n          with government policies (NIST 800-53: AT-2).\n     d. Specialized security training policy is not fully developed (NIST 800-53: AT-3).\n     e. Specialized security training procedures are not fully developed or sufficiently detailed in\n          accordance with government policies (SP 800-50, SP 800-53).\n     f. Training material for security awareness training does not contain appropriate content for\n          the Agency (SP 800-50, SP 800-53).\n     g. Identification and tracking of the status of security awareness training for personnel\n          (including employees, contractors, and other agency users) with access privileges that\n          require security awareness training is not adequate in accordance with government policies\n          (SP 800-50, SP 800-53).\n     h. Identification and tracking of the status of specialized training for personnel (including\n          employees, contractors, and other agency users) with significant information security\n          responsibilities is not adequate in accordance with government policies (SP 800-50,\n          SP 800-53).\n     i. Training content for individuals with significant information security responsibilities is not\n          adequate in accordance with government policies (SP 800-53, SP 800-16).\n     j. Less than 90% of personnel (including employees, contractors, and other agency users) with\n          access privileges completed security awareness training in the past year.\n     k. Less than 90% of employees, contractors, and other users with significant security\n          responsibilities completed specialized security awareness training in the past year.\n     l. Other\n     m. Explanation for Other\n\n                        \xe2\x80\xa2 DHS has documented policies and procedures for maintaining a security training program.\n                        \xe2\x80\xa2 DHS has established a process to validate components\xe2\x80\x99 security training.\n                        \xe2\x80\xa2 DHS has developed and implemented specialized training courses for system security\n13. Comments:\n                          officers and system administrators.\n                        \xe2\x80\xa2 DHS utilizes its enterprise management tool to identify and track the status of specialized\n                          training for all personnel with significant information security responsibilities.\n\n\n\n\n                                                          41\n\n      www.oig.dhs.gov                                                                                 OIG-13-04\n\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                        Department of Homeland Security\n\n\n      Appendix H\n      Status of Plans of Actions and Milestones Program\n\n                  Section 6: Status of Plans of Actions & Milestones (POA&M) Program\n                                                                                                         Response:\n14. Check one:\n A. The Agency has established and is maintaining a POA&M program that is consistent with FISMA\n     requirements, OMB policy, and applicable NIST guidelines and tracks and monitors known\n     information security weaknesses. Although improvement opportunities may have been identified\n     by the OIG, the program includes the following attributes:\n     1. Documented policies and procedures for managing IT security weaknesses discovered during\n         security control assessments and requiring remediation.\n     2. Tracks, prioritizes and remediates weaknesses.\n     3. Ensures remediation plans are effective for correcting weaknesses.\n     4. Establishes and adheres to milestone remediation dates.\n                                                                                                            \xef\xbf\xbd\n     5. Ensures resources are provided for correcting weaknesses.\n     6. POA&Ms include security weaknesses discovered during assessments of security controls and\n         requiring remediation. (Do not need to include security weaknesses due to a Risk Based\n         Decision to not implement a security control.)\n     7. Costs associated with remediating weaknesses are identified.\n     8. Program officials and contractors report progress on remediation to CIO on a regular basis, at\n         least quarterly, and the CIO centrally tracks, maintains, and independently reviews/validates\n         the POA&M activities at least quarterly.\n B. The Agency has established and is maintaining a POA&M program that tracks and remediates\n     known information security weaknesses. However, the Agency needs to make significant\n     improvements as noted below.\n C. The Agency has not established a POA&M program.\n\n\n\n\n                                                        42\n\n      www.oig.dhs.gov                                                                              OIG-13-04\n\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                        Department of Homeland Security\n\n15. If B. is checked above, check areas that need significant improvement:\n    a. POA&M Policy is not fully developed.\n    b. POA&M procedures are not fully developed and sufficiently detailed.\n    c. POA&M procedures are not consistently implemented in accordance with government\n          policies.\n    d. POA&Ms do not include security weaknesses discovered during assessments of security\n          controls and requiring remediation (OMB M-04-25).\n    e. Remediation actions do not sufficiently address weaknesses in accordance with government\n          policies (NIST SP 800-53, Rev. 3, Sect. 3.4 Monitoring Security Controls).\n    f. Source of security weaknesses are not tracked (OMB M-04-25).\n    g. Security weaknesses are not appropriately prioritized (OMB M-04-25).\n    h. Milestone dates are not adhered to (OMB M-04-25).\n    i. Initial target remediation dates are frequently missed (OMB M-04-25).\n    j. POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3, Control CA-5, and OMB\n          M-04-25).\n    k. Costs associated with remediating weaknesses are not identified (NIST SP 800-53, Rev. 3,\n          Control PM-3 and OMB M-04-25).\n    l. Agency CIO does not track and review POA&Ms (NIST SP 800-53, Rev. 3, Control CA-5, and\n          OMB M-04-25).\n    m. Other\n    n. Explanation for Other\n                        \xe2\x80\xa2 DHS requires components to create and manage POA&Ms for all known IT security\n                          weaknesses.\n                        \xe2\x80\xa2 DHS has developed policies and procedures for managing IT security weaknesses discovered\n                          during security control assessments and requiring remediation.\n                        \xe2\x80\xa2 As of June 30, 2012, DHS has 4,377 open POA&Ms. However, components are not entering\n16. Comments:             and tracking all IT security weaknesses in DHS\xe2\x80\x99 unclassified and classified enterprise\n                          management tools, nor are all of the data entered by the components accurate and updated\n                          in a timely manner.\n                        \xe2\x80\xa2 DHS creates quarterly POA&M progress reports, tracking weakness remediation and\n                          maintenance.\n\n\n\n\n                                                        43\n\n      www.oig.dhs.gov                                                                              OIG-13-04\n\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\n      Appendix I\n      Status of Remote Access Program\n\n                                Section 7: Status of Remote Access Program\n                                                                                                        Response:\n17. Check one:\n A. The Agency has established and is maintaining a remote access program that is consistent with\n    FISMA requirements, OMB policy, and applicable NIST guidelines. Although improvement\n    opportunities may have been identified by the OIG, the program includes the following attributes:\n    1. Documented policies and procedures for authorizing, monitoring, and controlling all methods\n        of remote access.\n    2. Protects against unauthorized connections or subversion of authorized connections.\n    3. Users are uniquely identified and authenticated for all access.\n    4. Telecommuting policy is fully developed.\n    5. If applicable, multi-factor authentication is required for remote access.                           \xef\xbf\xbd\n    6. Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote\n        electronic authentication, including strength mechanisms.\n    7. Defines and implements encryption requirements for information transmitted across public\n        networks.\n    8. Remote access sessions, in accordance to OMB M-07-16, are timed-out after 30 minutes of\n        inactivity after which re-authentication is required.\n    9. Lost or stolen devices are disabled and appropriately reported.\n    10. Remote access rules of behavior are adequate in accordance with government policies.\n    11. Remote access user agreements are adequate in accordance with government policies.\n B. The Agency has established and is maintaining a remote access program. However, the Agency\n    needs to make significant improvements as noted below.\n C. The Agency has not established a program for providing secure remote access.\n\n18. If B. is checked above, check areas that need significant improvement:\n    a. Remote access policy is not fully developed (NIST 800-53: AC-1, AC-17).\n    b. Remote access procedures are not fully developed and sufficiently detailed (NIST 800-53: AC-1,\n          AC-17).\n    c. Remote access procedures are not consistently implemented in accordance with government\n          policies (NIST 800-53: AC-1, AC-17).\n    d. Telecommuting policy is not fully developed (NIST 800-46, Section 5.1).\n    e. Telecommuting procedures are not fully developed or sufficiently detailed in accordance with\n          government policies (NIST 800-46, Section 5.4).\n    f. Agency cannot identify all users who require remote access (NIST 800-46, Section 4.2,\n          Section 5.1).\n    g. Multi-factor authentication is not properly deployed (NIST 800-46, Section 2.2, Section 3.3).\n    h. Agency has not identified all remote devices (NIST 800-46, Section 2.1).\n    i. Agency has not determined all remote devices and/or end user computers have been properly\n          secured (NIST 800-46, Section 3.1 and 4.2).\n    j. Agency does not adequately monitor remote devices when connected to the agency\xe2\x80\x99s\n          networks remotely in accordance with government policies (NIST 800-46, Section 3.2).\n\n\n                                                       44\n\n      www.oig.dhs.gov                                                                             OIG-13-04\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n   k. Lost or stolen devices are not disabled and appropriately reported (NIST 800-46, Section 4.3,\n      US-CERT Incident Reporting Guidelines).\n   l. Remote access rules of behavior are not adequate in accordance with government policies\n      (NIST 800-53, PL-4).\n   m. Remote access user agreements are not adequate in accordance with government policies\n      (NIST 800-46, Section 5.1, NIST 800-53, PS-6).\n   n. Other\n   o. Explanation for Other\n\n\n\n19. Comments:\n\n\n\n\n                                                       45\n\n        www.oig.dhs.gov                                                                          OIG-13-04\n\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                        Department of Homeland Security\n\n\n      Appendix J\n      Status of Account and Identity Management Program\n\n                     Section 8: Status of Account and Identity Management Program\n                                                                                                          Response:\n20. Check one:\n A. The Agency has established and is maintaining an identity and access management program that is\n    consistent with FISMA requirements, OMB policy, and applicable NIST guidelines and identifies\n    users and network devices. Although improvement opportunities may have been identified by the\n    OIG, the program includes the following attributes:\n    1. Documented policies and procedures for account and identity management.\n    2. Identifies all users, including Federal employees, contractors, and others who access Agency\n        systems.\n    3. Identifies when special access requirements (e.g., multi-factor authentication) are necessary.\n    4. If multi-factor authentication is in use, it is linked to the Agency\xe2\x80\x99s PIV program where              \xef\xbf\xbd\n        appropriate.\n    5. Agency has adequately planned for implementation of PIV for logical access in accordance\n        with government policies.\n    6. Ensures that the users are granted access based on needs and separation of duties principles.\n    7. Identifies devices that are attached to the network and distinguishes these devices from users.\n    8. Identifies all User and Non-User Accounts (refers to user accounts that are on a system).\n    9. Ensures that accounts are terminated or deactivated once access is no longer required.\n    10. Identifies and controls use of shared accounts.\n B. The Agency has established and is maintaining an identity and access management program that\n    identifies users and network devices. However, the Agency needs to make significant\n    improvements as noted below.\n C. The Agency has not established an identity and access management program.\n\n21. If B. is checked above, check areas that need significant improvement:\n     a. Account management policy is not fully developed (NIST 800-53: AC-1).\n     b. Account management procedures are not fully developed and sufficiently detailed\n           (NIST 800-53: AC-1).\n     c. Account management procedures are not consistently implemented in accordance with\n           government policies (NIST 800-53: AC-2).\n     d. Agency cannot identify all User and Non-User Accounts (NIST 800-53, AC-2).\n     e. Accounts are not properly issued to new users (NIST 800-53, AC-2).\n     f. Accounts are not properly terminated when users no longer require access (NIST 800-53,\n           AC-2).\n     g. Agency does not use multi-factor authentication where required (NIST 800-53, IA-2).\n     h. Agency has not adequately planned for implementation of PIV for logical access in accordance\n           with government policies (HSPD-12, FIPS-201, OMB M-05-24, OMB M-07-06, OMB M-08-01,\n           OMB M-11-11).\n     i. Privileges granted are excessive or result in capability to perform conflicting functions (NIST\n           800-53, AC-2, AC-6).\n     j. Agency does not use dual accounts for administrators (NIST 800-53, AC-5, AC-6).\n     k. Network devices are not properly authenticated (NIST 800-53, IA-3).\n\n                                                        46\n\n      www.oig.dhs.gov                                                                              OIG-13-04\n\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n   l. The process for requesting or approving membership in shared privileged accounts is not\n      adequate in accordance to government policies.\n   m. Use of shared privileged accounts is not necessary or justified.\n   n. When shared accounts are used, the Agency does not renew shared account credentials when\n      a member leaves the group.\n   o. Other\n   p. Explanation for Other\n\n                   DHS has not yet fully implemented required multi-factor authentication across the Department.\n                   DHS has issued HSPD 12 PIV compliant cards to all employees and contractors across the\n22. Comments:\n                   Department. However, the Department is not utilizing PIV compliant cards to access all its\n                   information systems, and plans to achieve only 20 percent compliance by the end of FY 2012.\n\n\n\n\n                                                       47\n\n        www.oig.dhs.gov                                                                           OIG-13-04\n\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\n      Appendix K\n      Status of Continuous Monitoring Program\n\n                           Section 9: Status of Continuous Monitoring Program\n                                                                                                        Response:\n23. Check one:\n A. The Agency has established an enterprise-wide continuous monitoring program that assesses the\n    security state of information systems that is consistent with FISMA requirements, OMB policy, and\n    applicable NIST guidelines. Although improvement opportunities may have been identified by the\n    OIG, the program includes the following attributes:\n    1. Documented policies and procedures for continuous monitoring.                                       \xef\xbf\xbd\n    2. Documented strategy and plans for continuous monitoring.\n    3. Ongoing assessments of security controls (system-specific, hybrid, and common) that have\n        been performed based on the approved continuous monitoring plans.\n    4. Provides authorizing officials and other key system officials with security status reports\n        covering updates to security plans and security assessment reports, as well as POA&M\n        additions and updates with the frequency defined in the strategy and/or plans.\n B. The Agency has established an enterprise-wide continuous monitoring program that assesses the\n    security state of information systems. However, the Agency needs to make significant\n    improvements as noted below.\n C. The Agency has not established a continuous monitoring program.\n\n24. If B. is checked above, check areas that need significant improvement:\n     a. Continuous monitoring policy is not fully developed (NIST 800-53: CA-7).\n     b. Continuous monitoring procedures are not fully developed (NIST 800-53: CA-7).\n     c. Continuous monitoring procedures are not consistently implemented (NIST 800-53: CA-7;\n          800-37 Rev 1, Appendix G).\n     d. Strategy or plan has not been fully developed for enterprise-wide continuous monitoring (NIST\n          800-37 Rev 1, Appendix G).\n     e. Ongoing assessments of security controls (system-specific, hybrid, and common) have not\n          been performed (NIST 800-53, NIST 800-53A).\n     f. The following were not provided to the authorizing official or other key system officials:\n          security status reports covering continuous monitoring results, updates to security plans,\n          security assessment reports, and POA&Ms (NIST 800-53, NIST 800-53A).\n     g. Other\n     h. Explanation for Other\n\n\n\n\n                                                       48\n\n      www.oig.dhs.gov                                                                            OIG-13-04\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n                 DHS has established an entity-wide continuous monitoring program that assesses the security\n                 state of information systems that is generally consistent with applicable NIST guidance. For\n                 example, we determined:\n\n                  \xe2\x80\xa2 DHS\xe2\x80\x99 continuous monitoring program is focused at the asset level, which includes the\n25. Comments:        monitoring of system vulnerabilities, configuration settings, malware, patch information,\n                     hardware, and software installed on its systems.\n                  \xe2\x80\xa2\t DHS collects component data through manual and automated processes that is compiled into\n                     a monthly FISMA scorecard. The scorecard provides an information security grade that is\n                     comprised of various continuous monitoring metrics (i.e., security authorization, weakness\n                     remediation, asset management).\n\n\n\n\n                                                     49\n\n     www.oig.dhs.gov                                                                            OIG-13-04\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n    Appendix L\n    Status of Contingency Planning Program\n\n                           Section 10: Status of Contingency Planning Program\n                                                                                                      Response:\n26. Check one:\n A. The Agency established and is maintaining an enterprise-wide business continuity/disaster\n    recovery program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n    guidelines. Although improvement opportunities may have been identified by the OIG, the\n    program includes the following attributes:\n    1. Documented business continuity and disaster recovery policy providing the authority and\n        guidance necessary to reduce the impact of a disruptive event or disaster.\n    2. The agency has performed an overall Business Impact Analysis (BIA).\n    3. Development and documentation of division, component, and IT infrastructure recovery\n        strategies, plans and procedures.\n    4. Testing of system specific contingency plans.                                                     \xef\xbf\xbd\n    5. The documented business continuity and disaster recovery plans are in place and can be\n        implemented when necessary.\n    6. Development of test, training, and exercise (TT&E) programs.\n    7. Performance of regular ongoing testing or exercising of business continuity/disaster\n        recovery plans to determine effectiveness and to maintain current plans.\n    8. After-action report that addresses issues identified during contingency/disaster recovery\n        exercises.\n    9. Systems that have alternate processing sites.\n    10. Alternate processing sites are subject to the same risks as primary sites.\n    11. Backups of information that are performed in a timely manner.\n    12. Contingency planning that consider supply chain threats.\n B. The Agency has established and is maintaining an enterprise-wide business continuity/disaster\n    recovery program. However, the Agency needs to make significant improvements as noted\n    below.\n C. The Agency has not established a business continuity/disaster recovery program.\n\n27. If B. is checked above, check areas that need significant improvement:\n     a. Contingency planning policy is not fully developed contingency planning policy is not\n          consistently implemented (NIST 800-53: CP-1).\n     b. Contingency planning procedures are not fully developed (NIST 800-53: CP-1).\n     c. Contingency planning procedures are not consistently implemented (NIST 800-53; 800-34).\n     d. An overall business impact assessment has not been performed (NIST SP 800-34).\n     e. Development of organization, component, or infrastructure recovery strategies and plans\n          has not been accomplished (NIST SP 800-34).\n     f. A business continuity/disaster recovery plan has not been developed (FCD1, NIST SP 800-34).\n     g. A business continuity/disaster recovery plan has been developed, but not fully implemented\n          (FCD1, NIST SP 800-34).\n     h. System contingency plans missing or incomplete (FCD1, NIST SP 800-34, NIST SP 800-53).\n     i. Systems contingency plans are not tested (FCD1, NIST SP 800-34, NIST SP 800-53).\n\n                                                     50\n\n    www.oig.dhs.gov                                                                            OIG-13-04\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n   j.   Test, training, and exercise programs have not been developed (FCD1, NIST SP 800-34, NIST\n        800-53).\n   k.   Test, training, and exercise programs have been developed, but are not fully implemented\n        (FCD1, NIST SP 800-34, NIST SP 800-53).\n   l.   After-action report did not address issues identified during contingency/disaster recovery\n        exercises (FCD1, NIST SP 800-34).\n   m.   Systems do not have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53).\n   n.   Alternate processing sites are subject to the same risks as primary sites (FCD1,\n        NIST SP 800-34, NIST SP 800-53).\n   o.   Backups of information are not performed in a timely manner (FCD1, NIST SP 800-34, NIST\n        SP 800-53).\n   p.   Backups are not appropriately tested (FCD1, NIST SP 800-34, NIST SP 800-53).\n   q.   Backups are not properly secured and protected (FCD1, NIST SP 800-34, NIST SP 800-53).\n   r.   Contingency planning does not consider supply chain threats.\n   s.   Other\n   t.   Explanation for Other\n\n\n\n28. Comments:\n\n\n\n\n                                                     51\n\n   www.oig.dhs.gov                                                                              OIG-13-04\n\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                        Department of Homeland Security\n\n\n      Appendix M\n      Status of Agency Program to Oversee Contractor Systems\n\n                  Section 11: Status of Agency Program to Oversee Contractor Systems\n                                                                                                          Response:\n29. Choose one:\n A. The Agency has established and maintains a program to oversee systems operated on its behalf by\n    contractors or other entities, including Agency systems and services residing in the cloud external\n    to the Agency. Although improvement opportunities may have been identified by the OIG, the\n    program includes the following attributes:\n    1. Documented policies and procedures for information security oversight of systems operated\n         on the Agency\xe2\x80\x99s behalf by contractors or other entities, including Agency systems and services\n         residing in public cloud.\n    2. The Agency obtains sufficient assurance that security controls of such systems and services are\n         effectively implemented and comply with Federal and agency guidelines.\n    3. A complete inventory of systems operated on the Agency\xe2\x80\x99s behalf by contractors or other               \xef\xbf\xbd\n         entities, including Agency systems and services residing in public cloud.\n    4. The inventory identifies interfaces between these systems and Agency-operated systems.\n    5. The Agency requires appropriate agreements (e.g., MOUs, Interconnection Security\n        Agreements, contracts, etc.) for interfaces between these systems and those that it owns and\n        operates.\n    6. The inventory of contractor systems is updated at least annually.\n    7. Systems that are owned or operated by contractors or entities, including Agency systems and\n        services residing in public cloud, are compliant with FISMA requirements, OMB policy, and\n        applicable NIST guidelines.\n B. The Agency has established and maintains a program to oversee systems operated on its behalf by\n    contractors or other entities, including Agency systems and services residing in public cloud.\n    However, the Agency needs to make significant improvements as noted below.\n C. The Agency does not have a program to oversee systems operated on its behalf by contractors or\n    other entities, including Agency systems and services residing in public cloud.\n\n\n\n\n                                                        52\n\n      www.oig.dhs.gov                                                                              OIG-13-04\n\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                        Department of Homeland Security\n\n\n      Appendix N\n      Status of Security Capital Planning Program\n\n                          Section 12: Status of Security Capital Planning Program\n                                                                                                       Response:\n32. Check one:\n A. The Agency has established and maintains a security capital planning and investment program for\n     information security. Although improvement opportunities may have been identified by the OIG,\n     the program includes the following attributes:\n     1. Documented policies and procedures to address information security in the capital planning\n         and investment control process.\n     2. Includes information security requirements as part of the capital planning and investment\n         process.                                                                                          \xef\xbf\xbd\n     3. Establishes a discrete line item for information security in organizational programming and\n         documentation.\n     4. Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources\n         required.\n     5. Ensures that information security resources are available for expenditure as planned.\n B. The Agency has established and maintains a capital planning and investment program. However,\n    the Agency needs to make significant improvements as noted below.\n C. The Agency does not have a capital planning and investment program.\n\n33. If B. is checked above, check areas that need significant improvement:\n     a. CPIC information security policy is not fully developed.\n     b. CPIC information security procedures are not fully developed.\n     c. CPIC information security procedures are not consistently implemented.\n     d. The Agency does not adequately plan for IT security during the CPIC process (SP 800-65).\n     e. The Agency does not include a separate line for information security in appropriate\n          documentation (NIST 800-53: SA-2).\n     f. Exhibits 300/53 or business cases do not adequately address or identify information security\n          costs (NIST 800-53: PM-3).\n     g. The Agency does not provide IT security funding to maintain the security levels identified.\n     h. Other\n     i. Explanation for Other\n\n\n\n\n                                                        53\n\n      www.oig.dhs.gov                                                                             OIG-13-04\n\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\n                    DHS maintains a security capital planning and investment program for information security. For\n                    example:\n\n                    \xe2\x80\xa2\t DHS bases its CPIC process on OMB\xe2\x80\x99s Circular A-11, Part 7 - Planning,fBudgeting,fAcquisition,f\n                       andfManagementfoffCapitalfAssets which defines the policies for planning, budgeting,\n34. Comments:          acquiring, and managing Federal capital assets.18\n                    \xe2\x80\xa2\t DHS has developed an automated process to help ensure that the department\xe2\x80\x99s IT and non-IT\n                       investments are successfully managed, cost effective, and support DHS\xe2\x80\x99 mission and strategic\n                       goals.\n                    \xe2\x80\xa2\t DHS produces a supplementary budgetary document known as an exhibit 53b which\n                       specifically outlines the Department\xe2\x80\x99s information security costs.\n\n\n\n\n     18\n       OMB\xe2\x80\x99s Circular A-11, Part 7 \xe2\x80\x93 Planning,fBudgeting,fAcquisition,fandfManagementfoffCapitalfAssets,\n     June 2008.\n\n                                                        54\n     www.oig.dhs.gov                                                                                OIG-13-04\n\x0c                      OFFICE OF INSPECTOR GENERAL\n                          Department of Homeland Security\n\n\nAppendix O\nMajor Contributors to This Report\nChiu-Tong Tsang, Director\nAaron Zappone, Team Lead\nAmanda Strickler, IT Specialist\nMichael Kim, IT Auditor\nDavid Bunning, IT Specialist\nPachern Thapanawat, IT Auditor\nGreg Wilson, Management/Program Assistant\nThomas Rohrback, Referencer\n\n\n\n\n                                      55\n\nwww.oig.dhs.gov                                             OIG-13-04\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\nAppendix P\nReport Distribution\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nDirector, GAO/OIG Liaison Office\nAssistant Secretary for Office of Policy\nAssistant Secretary for Office of Public Affairs\nAssistant Secretary for Office of Legislative Affairs\nChief Information Officer\nActing Chief Information Security Officer\nActing Director, Compliance and Oversight, Office of CISO\nChief Information Officer Audit Liaison\nChief Information Security Officer Audit Liaison\nComponent Chief Information Officers\nComponent Chief Information Security Officers\nActing Chief Privacy Officer\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                                          56\n\nwww.oig.dhs.gov                                                         OIG-13-04\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'